diff options
author | Nikos Mavrogiannopoulos <nmav@gnutls.org> | 2019-12-29 22:33:07 +0100 |
---|---|---|
committer | Nikos Mavrogiannopoulos <nmav@redhat.com> | 2020-01-03 10:56:14 +0100 |
commit | af83068ffc2b3533d9195b1f59132551f6027976 (patch) | |
tree | 1e65a7af44117b3288ffdd0e8e7d0cf095c29727 /NEWS | |
parent | acb025f0d20cda0e2173c822e7d4efa611cce396 (diff) | |
download | gnutls-af83068ffc2b3533d9195b1f59132551f6027976.tar.gz |
x509: reject certificates having duplicate extensions
According to RFC5280 a certificate must not include more than
one instance of a particular extension. We were previously printing
warnings when such extensions were found, but that is insufficient
to flag such certificates. Instead, refuse to import them.
Resolves: #887
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
Diffstat (limited to 'NEWS')
-rw-r--r-- | NEWS | 5 |
1 files changed, 5 insertions, 0 deletions
@@ -27,6 +27,11 @@ See the end for copying conditions. for all certificate verifications, not only under TLS. The configuration can be overriden using the GNUTLS_SYSTEM_PRIORITY_FILE environment variable. +** libgnutls: Reject certificates which contain duplicate extensions. We were + previously printing warnings when printing such a certificate, but that is + insufficient to flag such certificates as invalid. Instead we now refuse to + import them (#887). + ** libgnutls: If a CA is found in the trusted list, check in addition to time validity, whether the algorithms comply to the expected level prior to accepting it. This addresses the problem of accepting CAs which would |