[gnutls-devel] GnuTLS | Handle expiration of AddTrust root certificate (urgent) (#1008)

Development of GNU's TLS library gnutls-devel at lists.gnutls.org
Sun May 31 17:10:24 CEST 2020

Michael Catanzaro commented on a discussion: https://gitlab.com/gnutls/gnutls/-/issues/1008#note_352481491

> GnuTLS implements the [Basic Path Validation procedure](https://tools.ietf.org/html/rfc5280#section-6.1) quite naively, meaning that it assumes that the `n`th certificate is signed by `n-1`th, and individual certificate validity is only checked at the [Basic Certificate Processing phase](https://tools.ietf.org/html/rfc5280#section-6.1.3).

We have tests in glib-networking to ensure that unordered chains are accepted (they are). (Though it's possible that glib-net attempts to reorder the chain before passing to GnuTLS.)

Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1008#note_352481491
You're receiving this email because of your account on gitlab.com.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnutls-devel/attachments/20200531/a826813f/attachment.html>

More information about the Gnutls-devel mailing list