The _gnutls_x509_verify_certificate fix
Werner Koch
wk at gnupg.org
Tue Nov 11 12:09:01 CET 2008
On Tue, 11 Nov 2008 02:35, mrsam at courier-mta.com said:
> 1) The first certificate must be one of your trusted certs
>
> 2) Each one of the following certificates must be signed by the
> previous one, ending with the peer's certificate
And there are dozens of other constraints you have to obey when doing an
X.509 certificate chain verification.
A simple I recently wrote is in dirmngr/src/validate.c which is about
1100 lines. However the code may not be suitable for DoS affected
scenarios.
Shalom-Salam,
Werner
--
Die Gedanken sind frei. Auschnahme regelt ein Bundeschgesetz.
More information about the Gnutls-devel
mailing list