[gnutls-devel] SSL certificate validation bugs in GnuTLS
Antoine Delignat-Lavaud
antoine at delignat-lavaud.fr
Fri Feb 14 01:21:00 CET 2014
Le 13/02/2014 20:14, Nikos Mavrogiannopoulos a écrit :
> You may want to check the SSL obvervatory's 2010 data (I couldn't find a
> later version). There you'll notice a whole madness with certificates. I
> even remember DSA certificates marked for key encipherment.
I asked my colleagues to check the Microsoft database, which is a strict
(and much larger, as well as up to date) superset of the EFF data.
There have been 53 certificates issued in the past year without the
Signature key usage (for instance: rubrica.poste.it, www.ha.org.hk,
netbank.kdb.hu). They are on servers that only support the RSA key
exchange (if such a certificate was used with (EC)DH, Chrome, Firefox
and IE would trigger an error). In addition, there have been 101
certificates issued without the key usage extension at all, mostly by
Google on their CA (this is allowed by RFC 5280 and the CA/B forum)
Best,
ADL
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4270 bytes
Desc: Signature cryptographique S/MIME
URL: </pipermail/attachments/20140214/ebc9f500/attachment.bin>
More information about the Gnutls-devel
mailing list