[gnutls-devel] SSL certificate validation bugs in GnuTLS

Nikos Mavrogiannopoulos nmav at gnutls.org
Thu Feb 13 20:20:56 CET 2014

On 02/13/2014 06:19 PM, Daniel Kahn Gillmor wrote:

> It looks like key usage violations used to be permitted only when
> %COMPAT was specified in the priority string, and then commit id
> 16d365ab359436651deb35a8ec6cdc0e76c077d9 that was changed to be
> tolerated by default.  Perhaps this behavior could be added back in a
> way that could be controlled by a more specific priority string (i'm not
> sure what the default would be).
> In addition to knowing what other TLS libraries do, a survey of sites
> that are willing to offer ECDHE or DHE key exchange mechanisms without a
> digital signature key usage flag would be helpful in making an argument
> about what the default should be.
> I could produce this patch if people think that's a good approach.

Maybe we can add back the check for 3.3.x when %COMPAT is not specified?


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 534 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20140213/c3e1da59/attachment.sig>

More information about the Gnutls-devel mailing list