[gnutls-devel] GnuTLS | OCSP must staple can fail on incorrect certificate list under TLS1.3 (#786)

Development of GNU's TLS library gnutls-devel at lists.gnutls.org
Sat Jun 8 20:04:21 CEST 2019




Failing the verification seems to be correct. If we had a 'relaxed verification' mode, it should succeed here. But being 'relaxed' might also introduce new issues, despite from the additional code complexity you mention.

Except this turns out to be a 'common' server issue, we should not change behavior.

To find out how widespread this scenario is, we could make stats about the top 1M web sites... if you have an example source code to connect and write stats, I'll run it through the 1M sites.

-- 
Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/786#note_179248968
You're receiving this email because of your account on gitlab.com.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnutls-devel/attachments/20190608/7cc09438/attachment.html>


More information about the Gnutls-devel mailing list