Security implications of (not using) GNUTLS_VERIFY_DO_NOT_ALLOW_SAME

Nikos Mavrogiannopoulos nmav at gnutls.org
Mon Jun 21 13:45:41 CEST 2010


On Mon, Jun 21, 2010 at 1:23 PM, Lars Noschinski
<lars at public.noschinski.de> wrote:

>> The GNUTLS_VERIFY_DO_NOT_ALLOW_SAME is a flag, to make the trusted
>> certificate list, a list that can only certify other keys. That is it
>> will not allow a certificate from this list to be used as a server
>> certificate. So how it works it depends on your usage of this list. If
>> you add end server certificates there maybe
>> GNUTLS_VERIFY_DO_NOT_ALLOW_SAME is not a good option for you. But for
>> other uses it is quite sensible.
> Ok. But in this case, the behaviour I observed seems to be indeed a bug
> in gnutls, as my certificate list did not contain the server's
> certificate, but only the CA certificates.

Then please send me something I can reproduce (such as the smallest
possible list that I can use to verify the problem and how I can
verify it).

regards,
Nikos




More information about the Gnutls-help mailing list