The _gnutls_x509_verify_certificate fix
Simon Josefsson
simon at josefsson.org
Tue Nov 11 21:30:40 CET 2008
Andreas Metzler <ametzler at downhill.at.eu.org> writes:
> Hello,
> So combining this one and the patch in advisory I would get:
> ----------------------
> --- /tmp/verify.c.origal 2008-11-11 18:46:43.000000000 +0000
> +++ lib/x509/verify.c 2008-11-11 18:48:08.000000000 +0000
> @@ -414,17 +414,6 @@
> }
> #endif
>
> - /* Check if the last certificate in the path is self signed.
> - * In that case ignore it (a certificate is trusted only if it
> - * leads to a trusted party by us, not the server's).
> - */
> - if (gnutls_x509_crt_check_issuer (certificate_list[clist_size - 1],
> - certificate_list[clist_size - 1]) > 0
> - && clist_size > 0)
> - {
> - clist_size--;
> - }
> -
> /* Verify the certificate path (chain)
> */
> for (i = clist_size - 1; i > 0; i--)
> ----------------------
Yes.
> Applying this to 2.4.2 this does away with the crash, however it does
> not fix the advisory anymore. (The way to reproduce described in
> http://news.gmane.org/find-root.php?message_id=%3c4918143A.3050103%40gmx.net%3e
> works again.
Really? I think the patch should solve both the crash and the
advisory. Are you sure you used the right library?
> cu and- wondering when lists.gnu.org is accessible by SMTP again -reas
Mailing lists are @gnu.org, not @lists.gnu.org. I had to resend a few
messages that were sent to gnutls-devel at lists.gnu.org for some reason.
Or have you seen any documentation that says @lists.gnu.org can be used?
/Simon
More information about the Gnutls-devel
mailing list