The _gnutls_x509_verify_certificate fix
tmraz at redhat.com
Tue Nov 11 16:30:35 CET 2008
On Tue, 2008-11-11 at 16:18 +0100, Simon Josefsson wrote:
> Simon Josefsson <simon at josefsson.org> writes:
> > Tomas Mraz <tmraz at redhat.com> writes:
> >> On Mon, 2008-11-10 at 21:04 +0100, Nikos Mavrogiannopoulos wrote:
> >>> On Mon, Nov 10, 2008 at 2:47 PM, Tomas Mraz <tmraz at redhat.com> wrote:
> >>> > Hello,
> >>> > given the recent fix in the _gnutls_x509_verify_certificate I have been
> >>> > looking at the function. I see there are currently some limitations in
> >>> > it. For example it now doesn't allow verification of explicitely trusted
> >>> > self-signed site certificate. Is there some other method how this could
> >>> > be achieved?
> >>> You can achieve it by associating an address of a website with the
> >>> keyid of the given
> >>> certificate. This is more generic of trusting a self-signed
> >>> certificate. You can trust any
> >>> certificate first presented when accessing a website that way (ssh security).
> >> But the patch should be modified anyway because in case the server
> >> presents just a self-signed site certificate there will be a dereference
> >> of the certificate_list[-1].
> >> It is also questionable whether the function should not also check for
> >> clist_size of 0 before calling _gnutls_verify_certificate2().
> > Indeed. This may explain:
> > http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=505279
> On reading more code, probably not, since all calls to
> _gnutls_x509_verify_certificate goes through gnutls_x509_crt_list_verify
> which does check for clist_size==0. For readability, the two functions
> should probably be merged into one.
But they don't check for clist_size==1 and this causes the debian bug
when self-signed site certificate is used.
No matter how far down the wrong road you've gone, turn back.
More information about the Gnutls-devel