The _gnutls_x509_verify_certificate fix

Sam Varshavchik mrsam at courier-mta.com
Tue Nov 11 02:35:55 CET 2008


Tomas Mraz writes:

> self-signed site certificate. Is there some other method how this could
> be achieved? If not, then perhaps the test for the self-signed should be
> performed only when clist_size > 1. Also the test for the clist_size
> should be first test of the if().
> 
> The other limitation is that only the last certificate (after removing
> eventual self-signed cert at the end of the chain) is checked against
> the trusted list. That means you can not put just an intermediate CA
> cert into the trusted list to be able to verify the chain.
> 
> What do you think of these limitations, should they be removed?

Here's how I always thought certificate verifications should work:

1) The first certificate must be one of your trusted certs

2) Each one of the following certificates must be signed by the previous 
one, ending with the peer's certificate

It makes no sense to search the trusted list for any intermediate certs, 
neither does it make sense to treat self-signed certs in any special way. 
All of the root, trusted, certs are self-signed certs, the above logic works 
correctly for them.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: not available
URL: </pipermail/attachments/20081110/9779377c/attachment.pgp>


More information about the Gnutls-devel mailing list