X.509 path validation now performs all possible tests and returns a

set of error codes, instead of failing immediately on first error. This prevents a 'weak' error like an expired certificate from hiding a major error such as signature validation failure or hard revocation.
author: lloyd <[email protected]> 2014-04-05 15:25:14 +0000
committer: lloyd <[email protected]> 2014-04-05 15:25:14 +0000
commit: 4dc650c52ebb383508bbd9a3d4c178f5cc5871e4 (patch)
tree: 223010a498578d29f2598dca6989287f2773c0e9 /doc
parent: a912a2ea250a5161d39e897ba3e37b003965237b (diff)
1 files changed, 9 insertions, 0 deletions
diff --git a/doc/relnotes/1_11_9.rst b/doc/relnotes/1_11_9.rst
index 8d9f17666..de88987eb 100644
--- a/doc/relnotes/1_11_9.rst
+++ b/doc/relnotes/1_11_9.rst
@@ -1,6 +1,15 @@
 Version 1.11.9, Not Yet Released
 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
 
+ * X.509 path validation now returns a set of all errors that occurred
+   during validation, rather than immediately returning the first
+   detected error. This prevents a seemingly innocuous error (such as
+   an expired certificate) from hiding an obviously serious error
+   (such as an invalid signature). The Certificate_Status_Code enum is
+   now ordered by severity, and the most severe error is returned by
+   Path_Validation_Result::result(). The entire set of status codes is
+   available with the new all_statuses call.
+
  * Fixed a bug in OCSP response decoding which would cause an error
    when attempting to decode responses from some widely used
    responders.
author	lloyd <[email protected]>	2014-04-05 15:25:14 +0000
committer	lloyd <[email protected]>	2014-04-05 15:25:14 +0000
commit	4dc650c52ebb383508bbd9a3d4c178f5cc5871e4 (patch)
tree	223010a498578d29f2598dca6989287f2773c0e9 /doc
parent	a912a2ea250a5161d39e897ba3e37b003965237b (diff)