Certificate expiration not checked by gnutls-cli [GNUTLS-SA-2009-3] [CVE-2009-1417]
Nikos Mavrogiannopoulos
nmav at gnutls.org
Sun Jan 17 10:37:31 CET 2010
Andreas Metzler wrote:
> Ping?
[...]
>> this test does not work for me with any version of gnutls. There is no
>> "error: certificate has expired" or even "Peer's certificate chain
>> uses expired certificate".
I checked it and it seems that the verification code will stop once a
certificate in the chain is found invalid (that was added to counter
some denial of service attacks). Here gnutls-cli cannot verify the CA
certificate thus stops there and does not move forward to check time for
the actual certificate.
regards,
Nikos
More information about the Gnutls-devel
mailing list