[gnutls-devel] SSL certificate validation bugs in GnuTLS

Nikos Mavrogiannopoulos nmav at gnutls.org
Thu Feb 13 12:56:55 CET 2014

On Thu, Feb 13, 2014 at 10:26 AM, Suman Jana <suman at cs.utexas.edu> wrote:

>>>    While I do agree with you that name constraints are quite messy, I'll
>>> like
>>> to point
>>>    out that several other open source SSL libraries that we tested (e.g.,
>>> OpenSSL, PolarSSL,
>>>    ,NSS, Bouncy Castle) support them.
>> Do they support all the options for the name constraints or only the DNS?
>   We tested with DNS and all of them seemed to support that.

So the fact that you only checked DNS constraints (directoryName is
the only mandatory name constraint in rfc5280) means that there is
already a de facto profile expected to work by people.


More information about the Gnutls-devel mailing list