diff options
author | lloyd <[email protected]> | 2014-04-05 15:25:14 +0000 |
---|---|---|
committer | lloyd <[email protected]> | 2014-04-05 15:25:14 +0000 |
commit | 4dc650c52ebb383508bbd9a3d4c178f5cc5871e4 (patch) | |
tree | 223010a498578d29f2598dca6989287f2773c0e9 /doc/relnotes | |
parent | a912a2ea250a5161d39e897ba3e37b003965237b (diff) |
X.509 path validation now performs all possible tests and returns a
set of error codes, instead of failing immediately on first error.
This prevents a 'weak' error like an expired certificate from hiding a
major error such as signature validation failure or hard revocation.
Diffstat (limited to 'doc/relnotes')
-rw-r--r-- | doc/relnotes/1_11_9.rst | 9 |
1 files changed, 9 insertions, 0 deletions
diff --git a/doc/relnotes/1_11_9.rst b/doc/relnotes/1_11_9.rst index 8d9f17666..de88987eb 100644 --- a/doc/relnotes/1_11_9.rst +++ b/doc/relnotes/1_11_9.rst @@ -1,6 +1,15 @@ Version 1.11.9, Not Yet Released ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + * X.509 path validation now returns a set of all errors that occurred + during validation, rather than immediately returning the first + detected error. This prevents a seemingly innocuous error (such as + an expired certificate) from hiding an obviously serious error + (such as an invalid signature). The Certificate_Status_Code enum is + now ordered by severity, and the most severe error is returned by + Path_Validation_Result::result(). The entire set of status codes is + available with the new all_statuses call. + * Fixed a bug in OCSP response decoding which would cause an error when attempting to decode responses from some widely used responders. |