[gnutls-devel] GnuTLS | Service Desk (from quentin.gouchet at gmail.com): GnuTLS does not ncheck for crlSign field (#564)

Development of GNU's TLS library gnutls-devel at lists.gnutls.org
Mon Sep 17 18:31:26 CEST 2018

Hi Nikos,

I ran into a similar issue using OpenSSL where s_client would not support
certain checks that openssl verify would not.

The OSPP from NIAP specifically mentions: "If CRL is selected, the
evaluator will configure the CA to sign a CRL with a certificate that does
not have the cRLsign key usage bit set, and verify that validation of the
CRL fails."

In that case I guess it is ok to use certtool. However, in some cases, the
PP mandates "the connection to fail", in which case using a utility like
certtool would not be appropriate, and NIAP wants to see actual packet
capture files, which you cannot obtain using certtool only.


Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/564#note_101970676
You're receiving this email because of your account on gitlab.com.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnutls-devel/attachments/20180917/b98ae786/attachment.html>

More information about the Gnutls-devel mailing list