[gnutls-devel] GnuTLS | gnutls_certificate_verify_peers2() does not seem to verify ExtendedKeyUsage (#1886)
Read-only notification of GnuTLS library development activities
gnutls-devel at lists.gnutls.org
Fri May 15 23:43:26 CEST 2026
Daniel Stenberg created an issue: https://gitlab.com/gnutls/gnutls/-/work_items/1886
gnutls_certificate_verify_peers2() does not seem to verify ExtendedKeyUsage but gnutls_certificate_verify_peers() does.
Neither case is documented clearly. This has already lead to people submitting vuln reports to gnutls-using apps for this omission.
Reference: https://www.tenable.com/security/research/tra-2026-38
The aria2c fix: https://github.com/aria2/aria2/pull/2356/changes
This seems like a GnuTLS bug to me.
--
Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/work_items/1886
You're receiving this email because of your account on gitlab.com. Unsubscribe from this thread: https://gitlab.com/-/sent_notifications/4-al508pkdqcnun9ilftsla8p1g-a84t7/unsubscribe | Manage all notifications: https://gitlab.com/-/profile/notifications | Help: https://gitlab.com/help
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnutls-devel/attachments/20260515/de3d64cc/attachment.html>
More information about the Gnutls-devel
mailing list