[gnutls-devel] [sr #108612] Both verify_ca() and verify_ee() abort DANE processing with DANE_E_UNKNOWN_DANE_DATA for unrecognised types
anonymous
INVALID.NOREPLY at gnu.org
Sun Jul 6 21:39:06 CEST 2014
URL:
<http://savannah.gnu.org/support/?108612>
Summary: Both verify_ca() and verify_ee() abort DANE
processing with DANE_E_UNKNOWN_DANE_DATA for unrecognised types
Project: GnuTLS
Submitted by: None
Submitted on: Sun 06 Jul 2014 19:39:05 UTC
Category: Extra library
Priority: 5 - Normal
Severity: 6 - Security
Status: None
Privacy: Public
Assigned to: None
Originator Email: bugs.gnutls.simon at arlott.org
Open/Closed: Open
Discussion Lock: Any
Operating System: None
_______________________________________________________
Details:
Both verify_ca() and verify_ee() abort DANE processing with
DANE_E_UNKNOWN_DANE_DATA for unrecognised types. The correct response is to
ignore that TLSA record.
If a new TLSA type is introduced then DANE checking will return an error and
be ignored by clients. Instead, the clients may have been able to verify the
certificate with another TLSA record or they should have rejected it when
there are no more recognised records.
These functions should return 0 and set *verify |=
DANE_VERIFY_UNKNOWN_DANE_INFO.
_______________________________________________________
Reply to this item at:
<http://savannah.gnu.org/support/?108612>
_______________________________________________
Message sent via/by Savannah
http://savannah.gnu.org/
More information about the Gnutls-devel
mailing list