[gnutls-devel] SSL certificate validation bugs in GnuTLS

Nikos Mavrogiannopoulos nmav at gnutls.org
Mon Feb 17 13:51:14 CET 2014


On Thu, Feb 13, 2014 at 8:14 PM, Nikos Mavrogiannopoulos
<nmav at gnutls.org> wrote:

>>>> 4. enforce name constraints
> That would be nice to be enabled by default anyway. I have had hard time
> to find a CA that uses that though. Anyway I'm working on an API to get
> and set this extension's data so you could use that (not committed yet).

I've implemented this functionality in master, but not added it in the
verification process.
The only certificate in my trusted root which contained this extension had:
1. Marked it as non-critical (RFC5280 requires this is critical)
2. DNSNames listed in the wrong format (e.g., '.com' instead of 'com').

So I'm still not sure whether this is something that should be checked
by default.

regards,
Nikos



More information about the Gnutls-devel mailing list