[gnutls-devel] SSL certificate validation bugs in GnuTLS

Antoine Delignat-Lavaud antoine at delignat-lavaud.fr
Thu Feb 13 17:45:37 CET 2014

On 13/02/2014 14:03, Nikos Mavrogiannopoulos wrote:
> What do you have in mind? If you are interested some of the missing 
> features are listed here: 
> https://www.gitorious.org/gnutls/gnutls/source/2d1898608e451dabcff9b9ccb890f04a8f619ebc:doc/TODO#L14 
> Improving the test suite (suite/chain and chainverify.c) is also an 
> important task. In any case you're welcome to contribute (but in that 
> case please announce the topic so we avoid duplicate work). regards, 
> Nikos 

I propose to implement the following changes (by order of priority):

1. check all basic constraints and key usage flags properly
2. (depends on 1) enforce critical extensions. According to our 
measurements, there are only two CA that have issued certificates with 
non-standard critical extensions in the past 2 years, for a total of 629 
3. enforce extended key usage
4. enforce name constraints



-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4270 bytes
Desc: S/MIME Cryptographic Signature
URL: </pipermail/attachments/20140213/b2341123/attachment.bin>

More information about the Gnutls-devel mailing list