[gnutls-devel] Bugfixes for certificate lists

Tim Kosse tim.kosse at filezilla-project.org
Thu Jul 28 13:32:13 CEST 2016

On 2016-07-28 10:58, Nikos Mavrogiannopoulos wrote:
> I didn't like that change though:
>> - * a X.509 then a certificate list may be present.  The first
>> - * certificate in the list is the peer's certificate, following the
>> - * issuer's certificate, then the issuer's issuer etc.
>> + * a X.509 then a certificate list may be present.  This list is not
>> + * sorted.
> I think it is more accurate to say that the list is provided as sent
> by the server, and servers are expected to provide a sorted list. I've
> added some text on these lines at the following merge request. Let me
> know if that's ok.
> https://gitlab.com/gnutls/gnutls/merge_requests/31

Sounds good.

> I wonder whether we need to add a certificate_get_peers function which
> is guaranteed to return a sorted list (or modify that one to do so).

Changing the existing function would break programs relying that it
returns the certificates as received by the server, e.g. gnutls-cli-debug.

So I suppose there needs to be a function to return the certificates as
received. How about adding certificate_get_peers2 with a flags argument
just like gnutls_x509_crt_list_import2?


More information about the Gnutls-devel mailing list