Gnu TLS developers patch flaw in certificate validation
The developers of GnuTLS, a free implementation of the "Transport Layer Security" protocol (TLS), have issued maintenance and security release 2.6.1 to fix a number of issues. One of the flaws dealt with is the X.509 certificate validation process, which did not properly check the client name in certificates and would thus accept any name. As a result, a server could easily assume another identity.
The flaw is thought to have been present in GnuTLS since version 1.2.4, although the report says that exploiting it requires more than just DNS spoofing. Martin von Gagern has published a detailed description of the problem. Non-security-relevant problems fixed included confusing the subject and issuer's DN in one function.
See also
- GnuTLS 2.6.1-Security release, GnuTLS security advisory
(djwm)