aboutsummaryrefslogtreecommitdiffstats
path: root/doc/relnotes
diff options
context:
space:
mode:
authorlloyd <[email protected]>2014-04-05 15:25:14 +0000
committerlloyd <[email protected]>2014-04-05 15:25:14 +0000
commit4dc650c52ebb383508bbd9a3d4c178f5cc5871e4 (patch)
tree223010a498578d29f2598dca6989287f2773c0e9 /doc/relnotes
parenta912a2ea250a5161d39e897ba3e37b003965237b (diff)
X.509 path validation now performs all possible tests and returns a
set of error codes, instead of failing immediately on first error. This prevents a 'weak' error like an expired certificate from hiding a major error such as signature validation failure or hard revocation.
Diffstat (limited to 'doc/relnotes')
-rw-r--r--doc/relnotes/1_11_9.rst9
1 files changed, 9 insertions, 0 deletions
diff --git a/doc/relnotes/1_11_9.rst b/doc/relnotes/1_11_9.rst
index 8d9f17666..de88987eb 100644
--- a/doc/relnotes/1_11_9.rst
+++ b/doc/relnotes/1_11_9.rst
@@ -1,6 +1,15 @@
Version 1.11.9, Not Yet Released
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+ * X.509 path validation now returns a set of all errors that occurred
+ during validation, rather than immediately returning the first
+ detected error. This prevents a seemingly innocuous error (such as
+ an expired certificate) from hiding an obviously serious error
+ (such as an invalid signature). The Certificate_Status_Code enum is
+ now ordered by severity, and the most severe error is returned by
+ Path_Validation_Result::result(). The entire set of status codes is
+ available with the new all_statuses call.
+
* Fixed a bug in OCSP response decoding which would cause an error
when attempting to decode responses from some widely used
responders.