The _gnutls_x509_verify_certificate fix

Werner Koch wk at
Tue Nov 11 12:09:01 CET 2008

On Tue, 11 Nov 2008 02:35, mrsam at said:

> 1) The first certificate must be one of your trusted certs
> 2) Each one of the following certificates must be signed by the
> previous one, ending with the peer's certificate

And there are dozens of other constraints you have to obey when doing an
X.509 certificate chain verification.

A simple I recently wrote is in dirmngr/src/validate.c which is about
1100 lines.  However the code may not be suitable for DoS affected



Die Gedanken sind frei.  Auschnahme regelt ein Bundeschgesetz.

More information about the Gnutls-devel mailing list