x509: reject certificates having duplicate extensions

According to RFC5280 a certificate must not include more than one instance of a particular extension. We were previously printing warnings when such extensions were found, but that is insufficient to flag such certificates. Instead, refuse to import them. Resolves: #887 Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
author: Nikos Mavrogiannopoulos <nmav@gnutls.org> 2019-12-29 22:33:07 +0100
committer: Nikos Mavrogiannopoulos <nmav@redhat.com> 2020-01-03 10:56:14 +0100
commit: af83068ffc2b3533d9195b1f59132551f6027976 (patch)
tree: 1e65a7af44117b3288ffdd0e8e7d0cf095c29727 /NEWS
parent: acb025f0d20cda0e2173c822e7d4efa611cce396 (diff)
download: gnutls-af83068ffc2b3533d9195b1f59132551f6027976.tar.gz
1 files changed, 5 insertions, 0 deletions
diff --git a/NEWS b/NEWS
index 51f1f05779..565b15455e 100644
--- a/NEWS
+++ b/NEWS
@@ -27,6 +27,11 @@ See the end for copying conditions.
    for all certificate verifications, not only under TLS. The configuration can
    be overriden using the GNUTLS_SYSTEM_PRIORITY_FILE environment variable.
 
+** libgnutls: Reject certificates which contain duplicate extensions. We were
+   previously printing warnings when printing such a certificate, but that is
+   insufficient to flag such certificates as invalid. Instead we now refuse to
+   import them (#887).
+
 ** libgnutls: If a CA is found in the trusted list, check in addition to
    time validity, whether the algorithms comply to the expected level prior
    to accepting it. This addresses the problem of accepting CAs which would
author	Nikos Mavrogiannopoulos <nmav@gnutls.org>	2019-12-29 22:33:07 +0100
committer	Nikos Mavrogiannopoulos <nmav@redhat.com>	2020-01-03 10:56:14 +0100
commit	af83068ffc2b3533d9195b1f59132551f6027976 (patch)
tree	1e65a7af44117b3288ffdd0e8e7d0cf095c29727 /NEWS
parent	acb025f0d20cda0e2173c822e7d4efa611cce396 (diff)
download	gnutls-af83068ffc2b3533d9195b1f59132551f6027976.tar.gz