[gnutls-devel] [sr #108611] verify_ca() bypasses DANE checking if there are fewer than 2 certificates
anonymous
INVALID.NOREPLY at gnu.org
Sun Jul 6 21:34:08 CEST 2014
URL:
<http://savannah.gnu.org/support/?108611>
Summary: verify_ca() bypasses DANE checking if there are
fewer than 2 certificates
Project: GnuTLS
Submitted by: None
Submitted on: Sun 06 Jul 2014 19:34:07 UTC
Category: Extra library
Priority: 5 - Normal
Severity: 6 - Security
Status: None
Privacy: Public
Assigned to: None
Originator Email:
Open/Closed: Open
Discussion Lock: Any
Operating System: None
_______________________________________________________
Details:
If there are fewer than 2 certificates (i.e. 1) then the call to verify_ca()
will return DANE_E_INVALID_REQUEST causing the client to ignore the TLSA
records instead of rejecting the certificate (e.g. when there are only TLSA
records with usage CA).
_______________________________________________________
Reply to this item at:
<http://savannah.gnu.org/support/?108611>
_______________________________________________
Message sent via/by Savannah
http://savannah.gnu.org/
More information about the Gnutls-devel
mailing list