[gnutls-devel] SSL certificate validation bugs in GnuTLS
Suman Jana
suman at cs.utexas.edu
Thu Feb 13 09:54:30 CET 2014
Hi Antoine,
Thanks for sharing the link to the NDSS paper. The paper only
seems to be talking about two issues (as you may have noticed
we reported several others) -
1. GnuTLS ignores path length constraints for version <3.0.
I think it's a different bug than the one we described even
though the result is the same. We found the bug in GnuTLS
3.1.9 that (unlike older versions) has code for parsing path
length constraints but does not enforce it correctly. Please
see my earlier email to the gnutls-devel mailing list for
more details.
2. GnuTLS accepts certificates with unknown critical extensions.
This seems to be the same bug that you reported.
Thanks,
Suman
On 02/12/2014 08:18 AM, Antoine Delignat-Lavaud wrote:
> Hi,
>
> I tried to report the exact same problems to GnuTLS last summer.
> You may find the following paper relevant:
> http://research.microsoft.com/pubs/206278/ndss.pdf
>
> Best,
>
> Antoine Delignat-Lavaud
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/attachments/20140213/7ed5c22d/attachment.html>
More information about the Gnutls-devel
mailing list