[gnutls-devel] SSL certificate validation bugs in GnuTLS
Antoine Delignat-Lavaud
antoine at delignat-lavaud.fr
Thu Feb 13 17:45:37 CET 2014
On 13/02/2014 14:03, Nikos Mavrogiannopoulos wrote:
> What do you have in mind? If you are interested some of the missing
> features are listed here:
> https://www.gitorious.org/gnutls/gnutls/source/2d1898608e451dabcff9b9ccb890f04a8f619ebc:doc/TODO#L14
> Improving the test suite (suite/chain and chainverify.c) is also an
> important task. In any case you're welcome to contribute (but in that
> case please announce the topic so we avoid duplicate work). regards,
> Nikos
I propose to implement the following changes (by order of priority):
1. check all basic constraints and key usage flags properly
2. (depends on 1) enforce critical extensions. According to our
measurements, there are only two CA that have issued certificates with
non-standard critical extensions in the past 2 years, for a total of 629
certificates.
3. enforce extended key usage
4. enforce name constraints
Best,
ADL
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4270 bytes
Desc: S/MIME Cryptographic Signature
URL: </pipermail/attachments/20140213/b2341123/attachment.bin>
More information about the Gnutls-devel
mailing list