[gnutls-devel] [sr #108611] verify_ca() bypasses DANE checking if there are fewer than 2 certificates

anonymous INVALID.NOREPLY at gnu.org
Sun Jul 6 21:34:08 CEST 2014


URL:
  <http://savannah.gnu.org/support/?108611>

                 Summary: verify_ca() bypasses DANE checking if there are
fewer than 2 certificates
                 Project: GnuTLS
            Submitted by: None
            Submitted on: Sun 06 Jul 2014 19:34:07 UTC
                Category: Extra library
                Priority: 5 - Normal
                Severity: 6 - Security
                  Status: None
                 Privacy: Public
             Assigned to: None
        Originator Email: 
             Open/Closed: Open
         Discussion Lock: Any
        Operating System: None

    _______________________________________________________

Details:

If there are fewer than 2 certificates (i.e. 1) then the call to verify_ca()
will return DANE_E_INVALID_REQUEST causing the client to ignore the TLSA
records instead of rejecting the certificate (e.g. when there are only TLSA
records with usage CA).




    _______________________________________________________

Reply to this item at:

  <http://savannah.gnu.org/support/?108611>

_______________________________________________
  Message sent via/by Savannah
  http://savannah.gnu.org/




More information about the Gnutls-devel mailing list