SSL certificate chain validation issues

Daniel Atallah datallah at
Mon Jun 23 10:51:07 EDT 2014

On Sun, Jun 22, 2014 at 8:16 PM, Mark Doliner <mark at> wrote:

> Attached patch that adds basic constraint checking for both gnutls and
> nss. I think we should go with this in 2.x.y, and save more elaborate
> fixes for the default branch.
> Anyone want to review this and make sure it looks sane? I think the
> gnutls code is basically the same as what I sent in my previous email.
> The libnss checks were inspired by the cert_VerifyCertChainOld()
> function. I'm hoping that this code is all temporary, and in we'll
> switch to using higher-level cert verification functions in default.

Perhaps I'm missing something, but it doesn't seem right that we're
treating certs without basic constraints as if they are CAs.

Is the thought that any cert that has a path back to a trusted root will
have basic constraints?

I'm not intimately familiar with either the gnutls or NSS APIs, but apart
from the question about missing basic constraints it seems ok to me.

I guess if this is the best that we can do for gnutls at the moment, that
seems ok, but not ideal.
My preference would be to include something like my complete NSS fix even
if we can't do the same for gnutls.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the security mailing list