_gnutls_verify_crt_status: apply algorithm checks to trusted CAs

If a CA is found in the trusted list, check in addition to time validity, whether the algorithms comply to the expected level. This addresses the problem of accepting CAs which would have been marked as insecure otherwise. Resolves: #877 Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
author: Nikos Mavrogiannopoulos <nmav@redhat.com> 2019-12-19 09:37:34 +0100
committer: Nikos Mavrogiannopoulos <nmav@gnutls.org> 2019-12-19 20:13:47 +0100
commit: 1abb4298398ec6a942dc77384a19b3e3a2392341 (patch)
tree: 535697628d8d8745d51ab70cbfbb56ee9bbb2112 /NEWS
parent: 88b3fb2978558eb319eebdf776ac60884359a573 (diff)
download: gnutls-1abb4298398ec6a942dc77384a19b3e3a2392341.tar.gz
1 files changed, 5 insertions, 0 deletions
diff --git a/NEWS b/NEWS
index 049f3b4ee0..15e268f2f6 100644
--- a/NEWS
+++ b/NEWS
@@ -27,6 +27,11 @@ See the end for copying conditions.
    verification profile. Use '--verify-profile low' for certificate verification
    to apply the 'NORMAL' verification profile.
 
+** libgnutls: If a CA is found in the trusted list, check in addition to
+   time validity, whether the algorithms comply to the expected level prior
+   to accepting it. This addresses the problem of accepting CAs which would
+   have been marked as insecure otherwise (#877).
+
 ** API and ABI modifications:
 gnutls_ocsp_req_const_t: Added
author	Nikos Mavrogiannopoulos <nmav@redhat.com>	2019-12-19 09:37:34 +0100
committer	Nikos Mavrogiannopoulos <nmav@gnutls.org>	2019-12-19 20:13:47 +0100
commit	1abb4298398ec6a942dc77384a19b3e3a2392341 (patch)
tree	535697628d8d8745d51ab70cbfbb56ee9bbb2112 /NEWS
parent	88b3fb2978558eb319eebdf776ac60884359a573 (diff)
download	gnutls-1abb4298398ec6a942dc77384a19b3e3a2392341.tar.gz