[gnutls-devel] GnuTLS | _gnutls_verify_crt_status: apply algorithm checks to trusted CAs and other cert improvements (!1140)

Development of GNU's TLS library gnutls-devel at lists.gnutls.org
Fri Dec 20 20:47:28 CET 2019




Nikos Mavrogiannopoulos commented:


> If that is ok or not is a matter of policy. As i understand it, you can't set/use a profile that is less secure than the system profile (also not sure what UNKNOWN means in this context).

Indeed. I thought that since we set this value as the minimum verification profile, it should apply for general verification not only to verifications happening on TLS sessions.

> That's good for most users, but might need special care taken by testers and/or developers (they eventually have to change system policy).

That's a good point. We should also make sure in our test suite that we override the policy. I've amended with another commit doing just that. I'll merge once it passes.

-- 
Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1140#note_263831929
You're receiving this email because of your account on gitlab.com.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnutls-devel/attachments/20191220/c1e523ca/attachment.html>


More information about the Gnutls-devel mailing list