[gnutls-devel] GnuTLS | _gnutls_verify_crt_status: apply algorithm checks to trusted CAs and other cert improvements (!1140)

Development of GNU's TLS library gnutls-devel at lists.gnutls.org
Fri Dec 20 20:47:28 CET 2019

Nikos Mavrogiannopoulos commented:

> If that is ok or not is a matter of policy. As i understand it, you can't set/use a profile that is less secure than the system profile (also not sure what UNKNOWN means in this context).

Indeed. I thought that since we set this value as the minimum verification profile, it should apply for general verification not only to verifications happening on TLS sessions.

> That's good for most users, but might need special care taken by testers and/or developers (they eventually have to change system policy).

That's a good point. We should also make sure in our test suite that we override the policy. I've amended with another commit doing just that. I'll merge once it passes.

Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1140#note_263831929
You're receiving this email because of your account on gitlab.com.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnutls-devel/attachments/20191220/c1e523ca/attachment.html>

More information about the Gnutls-devel mailing list