[gnutls-devel] SSL certificate validation bugs in GnuTLS

Nikos Mavrogiannopoulos nmav at gnutls.org
Thu Feb 13 14:03:45 CET 2014


On Thu, Feb 13, 2014 at 1:07 PM, Antoine Delignat-Lavaud
<antoine at delignat-lavaud.fr> wrote:

>  Publishing a paper in a conference isn't considered reporting. If
> you'd like to report something for gnutls, summarize it, and sent it
> to the appropriate e-mail address or the mailing list. Providing a
> fix, is even better.
> Hi Nikos,
> I was an intern at Microsoft at the time of writing, and was not allowed to
> disclose the issue myself, or even look at the GPL GnuTLS code at that time.
> That being said, it seems you answered to our report (through the Microsoft
> disclosure program) on September 13 last year pointing us to the following
> page:
> http://gnutls.org/manual/html_node/Verifying-X_002e509-certificate-paths.html

> where it says: "Limitation: Pathlen constraints or key usage flags are
> not consulted."  on gnutls_x509_trust_list_verify_crt().

Ok, I remember that. Sorry for the attitude, but it is often that
people from academia publish issues without reporting them back.

> Thus, we considered it was a known issue and went ahead with the
> publication. That being said, there is no doubt that X509 validation leaves
> much to be desired in GnuTLS and I am volunteering to write a patch to
> strengthen some of the checks.

What do you have in mind? If you are interested some of the missing
features are listed here:
https://www.gitorious.org/gnutls/gnutls/source/2d1898608e451dabcff9b9ccb890f04a8f619ebc:doc/TODO#L14

Improving the test suite (suite/chain and chainverify.c) is also an
important task. In any case you're welcome to contribute (but in that
case please announce the topic so we avoid duplicate work).

regards,
Nikos



More information about the Gnutls-devel mailing list