[gnutls-devel] Support for OCSP Must-staple ?
Tim Kosse
tim.kosse at filezilla-project.org
Tue Jun 14 17:24:54 CEST 2016
Hi,
I'm not sure whether you have seen my comments. It looks like the
original merge request has been committed to master and released as
3.5.1 unchanged.
Regards,
Tim
On 2016-06-01 18:40, Tim Kosse wrote:
> Hi,
>
> I had a look at the merge request. While I couldn't find any major
> issues, there are still a few small things that should probably be fixed:
>
> verify_crt in lib/x509/verify.c:
> Function description still mentions the removed issuer parameter
>
> verify_crt in lib/x509/verify.c:
> The TLS feature check re-uses the nc_done label from the name
> constraints checks. While the functionality is correct right now, it's
> an easy source for errors should this function be changed in the future.
> I suggest moving the TLS feature checking below the nc_done label and
> adding a separate feat_done label.
>
> gnutls_x509_tlsfeatures_crt in lib/x509/tls_features.c:
> Line 240, format specifier doesn't match type of arguments. The size in
> gnutls_x509_tlsfeatures_t is unsigned int.
>
> parse_tlsfeatures in lib/x509/x509_ext.c:
> The size limitation check should be done after the duplicate check,
> otherwise appending fails when verifying chains where certificates use
> the maximum allowed number of features.
>
> tests/tlsfeature-ext.c:
> Lines 145 and 146: The comment doesn't match the assert.
>
> Regards,
> Tim
>
More information about the Gnutls-devel
mailing list