gnutls-devel
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: The _gnutls_x509_verify_certificate fix

From: Tomas Mraz
Subject: Re: The _gnutls_x509_verify_certificate fix
Date: Tue, 11 Nov 2008 11:10:48 +0100 
On Mon, 2008-11-10 at 21:04 +0100, Nikos Mavrogiannopoulos wrote:
> On Mon, Nov 10, 2008 at 2:47 PM, Tomas Mraz <address@hidden> wrote:
> > Hello,
> > given the recent fix in the _gnutls_x509_verify_certificate I have been
> > looking at the function. I see there are currently some limitations in
> > it. For example it now doesn't allow verification of explicitely trusted
> > self-signed site certificate. Is there some other method how this could
> > be achieved?
> You can achieve it by associating an address of a website with the
> keyid of the given
> certificate. This is more generic of trusting a self-signed
> certificate. You can trust any
> certificate first presented when accessing a website that way (ssh security).

But the patch should be modified anyway because in case the server
presents just a self-signed site certificate there will be a dereference
of the certificate_list[-1].

It is also questionable whether the function should not also check for
clist_size of 0 before calling _gnutls_verify_certificate2().

-- 
Tomas Mraz
No matter how far down the wrong road you've gone, turn back.
                                              Turkish proverb

Attachment: gnutls-1.4.1-cve-2008-4989.patch
Description: Text Data

reply via email to
[Prev in Thread] Current Thread [Next in Thread]