[gnutls-devel] GnuTLS | gnutls serv / gnutls_certificate_set_x509_key_file do not check certificate against policy (#881)

Development of GNU's TLS library gnutls-devel at lists.gnutls.org
Wed Dec 18 23:25:35 CET 2019



Dimitri John Ledkov created an issue: https://gitlab.com/gnutls/gnutls/issues/881



gnutls serv loads keyfile & cert, but doesn't bother to check if it should trust it or if it is acceptable as per policy.

For example, one can start gnutls serv with 512 RSA keys in the cert chain, even if no sane client will trust to connect to it.

Some checks are performed e.g. gnutls_check_key_cert_match, but it should also check if the cert meets the minimum profile security standard w.r.t. algos / key sizes / hashes / etc. Such that, for example, daemons fail to start with bogus certs instead of waiting for clients to fail to establish a connection.

-- 
Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/881
You're receiving this email because of your account on gitlab.com.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnutls-devel/attachments/20191218/e68e9132/attachment.html>


More information about the Gnutls-devel mailing list