gnutls-devel
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: The _gnutls_x509_verify_certificate fix

From: Simon Josefsson
Subject: Re: The _gnutls_x509_verify_certificate fix
Date: Tue, 11 Nov 2008 16:18:24 +0100
User-agent: Gnus/5.110011 (No Gnus v0.11) Emacs/22.2 (gnu/linux) 
Simon Josefsson <address@hidden> writes:

> Tomas Mraz <address@hidden> writes:
>
>> On Mon, 2008-11-10 at 21:04 +0100, Nikos Mavrogiannopoulos wrote:
>>> On Mon, Nov 10, 2008 at 2:47 PM, Tomas Mraz <address@hidden> wrote:
>>> > Hello,
>>> > given the recent fix in the _gnutls_x509_verify_certificate I have been
>>> > looking at the function. I see there are currently some limitations in
>>> > it. For example it now doesn't allow verification of explicitely trusted
>>> > self-signed site certificate. Is there some other method how this could
>>> > be achieved?
>>> You can achieve it by associating an address of a website with the
>>> keyid of the given
>>> certificate. This is more generic of trusting a self-signed
>>> certificate. You can trust any
>>> certificate first presented when accessing a website that way (ssh 
>>> security).
>>
>> But the patch should be modified anyway because in case the server
>> presents just a self-signed site certificate there will be a dereference
>> of the certificate_list[-1].
>>
>> It is also questionable whether the function should not also check for
>> clist_size of 0 before calling _gnutls_verify_certificate2().
>
> Indeed.  This may explain:
>
> http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=505279

On reading more code, probably not, since all calls to
_gnutls_x509_verify_certificate goes through gnutls_x509_crt_list_verify
which does check for clist_size==0.  For readability, the two functions
should probably be merged into one.

/Simon
reply via email to
[Prev in Thread] Current Thread [Next in Thread]