[gnutls-devel] SSL certificate validation bugs in GnuTLS

Kurt Roeckx kurt at roeckx.be
Thu Feb 13 22:21:24 CET 2014

On Thu, Feb 13, 2014 at 10:25:50AM +0100, Nikos Mavrogiannopoulos wrote:
> On Thu, Feb 13, 2014 at 9:48 AM, Andy Lutomirski <luto at amacapital.net> wrote:
> > This should IMO have a CVE assigned and announcement made.  If I understand
> > the issue correctly, this will be widely exploited.
> > If this affects verification of client certs, everyone is fscked.
> It should have a CVE as it has quite some implications. As of
> exploitability I think it depends on whether there are CAs that issue
> v1 certificates.

I've checked 7.5M certificates that most browser should validate
and found 71 such certificates, of which 44 are a CA, and so 27
are not.  24 of the 27 are from the CA for itself.


More information about the Gnutls-devel mailing list