[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Security implications of (not using) GNUTLS_VERIFY_DO_NOT_ALLOW_SAME
From: |
Lars Noschinski |
Subject: |
Re: Security implications of (not using) GNUTLS_VERIFY_DO_NOT_ALLOW_SAME |
Date: |
Mon, 21 Jun 2010 12:43:43 +0200 |
User-agent: |
Mutt/1.5.20 (2009-06-14) |
* Simon Josefsson <address@hidden> [10-06-21 11:32]:
> > I am wondering when the flag GNUTLS_VERIFY_DO_NOT_ALLOW_SAME should be
> > used. I've seen it in use in the Wocky library[0], which is used by the
> > instant messenger client empathy.
[...]
> I don't see any normal situation where this flag is useful.
>
> I'm not sure the behaviour you see is actually intended, I don't see why
> it should reject the chain here. So it may be a bug...
>
> The flag _may_ be useful if you have a X.509 Version 1 certificate as a
> trust anchor. You may want to trust a X.509v1 CA for verifying server
> certificates signed by the X.509v1 CA, but you definitely do not want to
> accept that certificate as the server certificate (because there are no
> name restriction extensions). On the other hand, you shouldn't use
> X.509v1 certificates anyway...
Just to clarify: Using GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT without
GNUTLS_VERIFY_DO_NOT_ALLOW_SAME is a sane choice (if one stills needs to
deal with X.509v1 certificates).
-- Lars
- Security implications of (not using) GNUTLS_VERIFY_DO_NOT_ALLOW_SAME, Lars Noschinski, 2010/06/21
- Re: Security implications of (not using) GNUTLS_VERIFY_DO_NOT_ALLOW_SAME, Simon Josefsson, 2010/06/21
- Re: Security implications of (not using) GNUTLS_VERIFY_DO_NOT_ALLOW_SAME,
Lars Noschinski <=
- Re: Security implications of (not using) GNUTLS_VERIFY_DO_NOT_ALLOW_SAME, Nikos Mavrogiannopoulos, 2010/06/21
- Re: Security implications of (not using) GNUTLS_VERIFY_DO_NOT_ALLOW_SAME, Lars Noschinski, 2010/06/21
- Re: Security implications of (not using) GNUTLS_VERIFY_DO_NOT_ALLOW_SAME, Nikos Mavrogiannopoulos, 2010/06/21
- Re: Security implications of (not using) GNUTLS_VERIFY_DO_NOT_ALLOW_SAME, Nikos Mavrogiannopoulos, 2010/06/21
- Re: Security implications of (not using) GNUTLS_VERIFY_DO_NOT_ALLOW_SAME, Lars Noschinski, 2010/06/21
- Re: Security implications of (not using) GNUTLS_VERIFY_DO_NOT_ALLOW_SAME, Nikos Mavrogiannopoulos, 2010/06/21