[gnutls-devel] SSL certificate validation bugs in GnuTLS
Kurt Roeckx
kurt at roeckx.be
Thu Feb 13 22:21:24 CET 2014
On Thu, Feb 13, 2014 at 10:25:50AM +0100, Nikos Mavrogiannopoulos wrote:
> On Thu, Feb 13, 2014 at 9:48 AM, Andy Lutomirski <luto at amacapital.net> wrote:
>
> > This should IMO have a CVE assigned and announcement made. If I understand
> > the issue correctly, this will be widely exploited.
> > If this affects verification of client certs, everyone is fscked.
>
> It should have a CVE as it has quite some implications. As of
> exploitability I think it depends on whether there are CAs that issue
> v1 certificates.
I've checked 7.5M certificates that most browser should validate
and found 71 such certificates, of which 44 are a CA, and so 27
are not. 24 of the 27 are from the CA for itself.
Kurt
More information about the Gnutls-devel
mailing list