The _gnutls_x509_verify_certificate fix

Nikos Mavrogiannopoulos nmav at
Mon Nov 10 21:04:52 CET 2008

On Mon, Nov 10, 2008 at 2:47 PM, Tomas Mraz <tmraz at> wrote:
> Hello,
> given the recent fix in the _gnutls_x509_verify_certificate I have been
> looking at the function. I see there are currently some limitations in
> it. For example it now doesn't allow verification of explicitely trusted
> self-signed site certificate. Is there some other method how this could
> be achieved?
You can achieve it by associating an address of a website with the
keyid of the given
certificate. This is more generic of trusting a self-signed
certificate. You can trust any
certificate first presented when accessing a website that way (ssh security).

> The other limitation is that only the last certificate (after removing
> eventual self-signed cert at the end of the chain) is checked against
> the trusted list. That means you can not put just an intermediate CA
> cert into the trusted list to be able to verify the chain.

Indeed this algorithm is primitive. The idea was to allow applications
to override it
with custom-made advanced verification, but under with the current bug
discovered in
a "simple" algorithm I no longer think this is a good idea. Probably a
more advanced
verification subsystem should exist with enough hooks so applications
could get detailed
information about the verification[0].

However something like this is not in my near-future plans. We would
be happy to receive,
review and add patches for this functionality though.

[0]. the whole idea of having a simplified verification algorithm in
gnutls was because I
thought that application would want to present detailed information to
the client (where the
verification failed etc).


More information about the Gnutls-devel mailing list