Should do certificate verification during TLS handshake, rather than after
@mcatanzaro
Submitted by Michael Catanzaro Assigned to Michael Catanzaro @mcatanzaro
Link to original bug (#793342)
Description
Currently GTlsConnectionGnutls is doing certificate verification (inside verify_peer_certificate()) after the call to gnutls_handshake() completes. I don't think that could cause security problems -- at least I can't think of how it would -- but the GnuTLS documentation [1] indicates that we should be doing it inside the call to gnutls_handshake() instead, either by:
- Using gnutls_certificate_set_verify_function and gnutls_certificate_verify_peers2, the old way; or
- Using gnutls_session_set_verify_function and maybe also gnutls_session_set_verify_cert (not sure if that's required), the new way
(Nikos, I assume it's OK to CC you on issues like these? I can stop if you want. :)
[1] https://www.gnutls.org/manual/html_node/TLS-handshake.html
Version: 2.55.x