[gnutls-devel] SSL certificate validation bugs in GnuTLS

Suman Jana suman at cs.utexas.edu
Thu Feb 13 09:54:30 CET 2014

Hi Antoine,

Thanks for sharing the link to the NDSS paper. The paper only
seems to be talking about two issues (as you may have noticed
we reported several others) -

1. GnuTLS ignores path length constraints for version <3.0.

I think it's a different bug than the one we described even
though the result is the same. We found the bug in GnuTLS
3.1.9 that (unlike older versions) has code for parsing path
length constraints but does not enforce it correctly. Please
see my earlier email to the gnutls-devel mailing list for
more details.

2. GnuTLS accepts certificates with unknown critical extensions.

This seems to be the same bug that you reported.


On 02/12/2014 08:18 AM, Antoine Delignat-Lavaud wrote:
> Hi,
> I tried to report the exact same problems to GnuTLS last summer.
> You may find the following paper relevant:
> http://research.microsoft.com/pubs/206278/ndss.pdf
> Best,
> Antoine Delignat-Lavaud

-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/attachments/20140213/7ed5c22d/attachment.html>

More information about the Gnutls-devel mailing list