[gnutls-devel] GnuTLS | Service Desk (from quentin.gouchet at gmail.com): GnuTLS does not ncheck for crlSign field (#564)
Development of GNU's TLS library
gnutls-devel at lists.gnutls.org
Mon Sep 17 18:31:26 CEST 2018
Hi Nikos,
I ran into a similar issue using OpenSSL where s_client would not support
certain checks that openssl verify would not.
The OSPP from NIAP specifically mentions: "If CRL is selected, the
evaluator will configure the CA to sign a CRL with a certificate that does
not have the cRLsign key usage bit set, and verify that validation of the
CRL fails."
In that case I guess it is ok to use certtool. However, in some cases, the
PP mandates "the connection to fail", in which case using a utility like
certtool would not be appropriate, and NIAP wants to see actual packet
capture files, which you cannot obtain using certtool only.
Best,
Quentin
--
Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/564#note_101970676
You're receiving this email because of your account on gitlab.com.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnutls-devel/attachments/20180917/b98ae786/attachment.html>
More information about the Gnutls-devel
mailing list