[gnutls-devel] GnuTLS | GnuTLS uses expired CRLs without warning (#1781)
Read-only notification of GnuTLS library development activities
gnutls-devel at lists.gnutls.org
Sun Jan 11 00:11:36 CET 2026
Daiki Ueno commented: https://gitlab.com/gnutls/gnutls/-/issues/1781#note_2996874484
Could you provide a reproducer? I suspect you are looking at a wrong code path; note that the CRL check is done in 2 phases: first with `gnutls_x509_crl_verify` (called by `gnutls_x509_trust_list_add_crls`) and then the call to `_gnutls_x509_crt_check_revocation` to each certificates (in `gnutls_x509_trust_list_verify_crt2`). `gnutls_x509_crl_verify` does have checks for CRL expiration: https://gitlab.com/gnutls/gnutls/-/blob/0b7e7690a5744a501b887dd3a53e74c384b82a3c/lib/x509/verify.c#L1786
I believe those are already exercised in our tests under: https://gitlab.com/gnutls/gnutls/-/blob/0b7e7690a5744a501b887dd3a53e74c384b82a3c/tests/cert-tests/crl.sh#L108
--
Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1781#note_2996874484
You're receiving this email because of your account on gitlab.com.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnutls-devel/attachments/20260110/6791bb5c/attachment-0001.html>
More information about the Gnutls-devel
mailing list