Analysis of vulnerability GNUTLS-SA-2008-3 CVE-2008-4989

Andreas Metzler ametzler at downhill.at.eu.org
Mon Nov 10 19:15:04 CET 2008


On 2008-11-10 Martin von Gagern <Martin.vGagern at gmx.net> wrote:
> This is an analysis fo the GNU TLS vulnerability recently published as
> GNUTLS-SA-2008-3 and CVE-2008-4989.

> I found a bug in GNU TLS which breaks X.509 certificate chain
> verification. This allows a man in the middle to assume any name and
> trick GNU TLS clients into trusting that name.
[...]

This seems to apply to every recent gnutls version (at least even
1.4.4 shows the same output. Can you confirm that?

cu and- not trusting myself currently -reas
-- 
`What a good friend you are to him, Dr. Maturin. His other friends are
so grateful to you.'
`I sew his ears on from time to time, sure'





More information about the Gnutls-devel mailing list