[gnutls-devel] Bugfixes for certificate lists
Tim Kosse
tim.kosse at filezilla-project.org
Thu Jul 28 13:32:13 CEST 2016
On 2016-07-28 10:58, Nikos Mavrogiannopoulos wrote:
> I didn't like that change though:
>> - * a X.509 then a certificate list may be present. The first
>> - * certificate in the list is the peer's certificate, following the
>> - * issuer's certificate, then the issuer's issuer etc.
>> + * a X.509 then a certificate list may be present. This list is not
>> + * sorted.
>
> I think it is more accurate to say that the list is provided as sent
> by the server, and servers are expected to provide a sorted list. I've
> added some text on these lines at the following merge request. Let me
> know if that's ok.
> https://gitlab.com/gnutls/gnutls/merge_requests/31
Sounds good.
> I wonder whether we need to add a certificate_get_peers function which
> is guaranteed to return a sorted list (or modify that one to do so).
Changing the existing function would break programs relying that it
returns the certificates as received by the server, e.g. gnutls-cli-debug.
So I suppose there needs to be a function to return the certificates as
received. How about adding certificate_get_peers2 with a flags argument
just like gnutls_x509_crt_list_import2?
Regards,
Tim
More information about the Gnutls-devel
mailing list