GnuTLS 2.6.4 and 2.4.3

Simon Josefsson simon at josefsson.org
Fri Feb 6 22:23:28 CET 2009


Note that the release use a slightly different patch compared to the
release candidate.  The difference is at what point the CRL checking is
done.  I decided that without more thinking, we should better leave the
code as is, so I reverted the move of this code that I made before the
release candidate.

There is a slight semantic difference between the two approaches: will a
CRL containing a trusted intermediary cert lead to rejection or
acception when validating said trusted intermediary cert as part of a
chain?  I do not know what the proper answer should be.  Since it is
easier to modify the trust settings in deployment than to modify CRLs
(they are signed..), so the current approach is to let the trust store
setting have preference.

Please throw your X.509 chains at the 2.6.4 release and let me know
whether it behaves.  While the many changes in this area have been
unfortunate, at least we have built up a good self-test based on the
many chains submitted.  That will help catch regressions in this area in
the future...

/Simon





More information about the Gnutls-devel mailing list