[gnutls-devel] GnuTLS | Handle expiration of AddTrust root certificate (urgent) (#1008)

Development of GNU's TLS library gnutls-devel at lists.gnutls.org
Sun May 31 07:27:34 CEST 2020

Daiki Ueno commented:

Thank you for the report. Though I am not following the discussion around this, my question is whether it is legitimate that the server sends such certificate chain. GnuTLS implements the [Basic Path Validation procedure](https://tools.ietf.org/html/rfc5280#section-6.1) quite naively, meaning that it assumes that the `n`th certificate is signed by `n-1`th, and individual certificate validity is only checked at the [Basic Certificate Processing phase](https://tools.ietf.org/html/rfc5280#section-6.1.3).

Having said that, there is a pre-processing mechanism and it wouldn't be so hard to "fix" this (I confirmed that it works if I add an extra check in `_gnutls_sort_clist`, though I guess the behavior should probably be controlled with a flag, like unsorted chain).

Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1008#note_352394245
You're receiving this email because of your account on gitlab.com.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnutls-devel/attachments/20200531/2c4cf199/attachment.html>

More information about the Gnutls-devel mailing list