[gnutls-devel] GnuTLS | Does the CRL check command of GnuTLS verify the validity of the CRL itself? (#1731)
Read-only notification of GnuTLS library development activities
gnutls-devel at lists.gnutls.org
Fri Aug 22 11:12:39 CEST 2025
One happy person created an issue: https://gitlab.com/gnutls/gnutls/-/issues/1731
Hello developers, I have recently been using the verify command in GnuTLS with CRL enabled. It seems to me that GnuTLS does not check the validity of the CRL itself. May I ask if the verify command in GnuTLS performs a check on the validity of the CRL used?
Test case (the CRL is not shown to have issues even when the issuer field of the CRL does not match the CRL issuer certificate):
[ca1.pem](/uploads/dd1f435570f436b26e19e56175e0d056/ca1.pem)
[crl_file_wrong_issuer.pem](/uploads/a4818db717404992e3bfc4eb1ed21a20/crl_file_wrong_issuer.pem)
[root_cert_1.pem](/uploads/03957b9755bdd01c1f0ee1695b87ca7f/root_cert_1.pem)
command:
certtool --verify --load-crl=crl_file_wrong_issuer.pem --load-ca-certificate=root_cert_1.pem < ca1.pem
--
Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1731
You're receiving this email because of your account on gitlab.com.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnutls-devel/attachments/20250822/71527bf0/attachment-0001.html>
More information about the Gnutls-devel
mailing list