In association with heise online

14 November 2008, 09:39

Gnu TLS developers patch flaw in certificate validation

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

The developers of GnuTLS, a free implementation of the "Transport Layer Security" protocol (TLS), have issued maintenance and security release 2.6.1 to fix a number of issues. One of the flaws dealt with is the X.509 certificate validation process, which did not properly check the client name in certificates and would thus accept any name. As a result, a server could easily assume another identity.

The flaw is thought to have been present in GnuTLS since version 1.2.4, although the report says that exploiting it requires more than just DNS spoofing. Martin von Gagern has published a detailed description of the problem. Non-security-relevant problems fixed included confusing the subject and issuer's DN in one function.

See also


Print Version | Send by email | Permalink:

  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit