[gnutls-devel] SSL certificate validation bugs in GnuTLS

Antoine Delignat-Lavaud antoine at delignat-lavaud.fr
Fri Feb 14 01:21:00 CET 2014

Le 13/02/2014 20:14, Nikos Mavrogiannopoulos a écrit :
> You may want to check the SSL obvervatory's 2010 data (I couldn't find a
> later version). There you'll notice a whole madness with certificates. I
> even remember DSA certificates marked for key encipherment.

I asked my colleagues to check the Microsoft database, which is a strict 
(and much larger, as well as up to date) superset of the EFF data.

There have been 53 certificates issued in the past year without the 
Signature key usage (for instance: rubrica.poste.it, www.ha.org.hk, 
netbank.kdb.hu). They are on servers that only support the RSA key 
exchange (if such a certificate was used with (EC)DH, Chrome, Firefox 
and IE would trigger an error). In addition, there have been 101 
certificates issued without the key usage extension at all, mostly by 
Google on their CA (this is allowed by RFC 5280 and the CA/B forum)



-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4270 bytes
Desc: Signature cryptographique S/MIME
URL: </pipermail/attachments/20140214/ebc9f500/attachment.bin>

More information about the Gnutls-devel mailing list