search

crocs-muni / usable-cert-validation

Research initiative to make TLS certificate validation usable.
https://x509errors.org
MIT License
19 stars 3 forks source link

Mismatch of errors online/internally #112

Open mukrop opened 2 years ago

mukrop commented 2 years ago

Online at x509errors.org, we present 95 different OpenSSL errors. However internally, in the error overview table in gDrive, we have only 78. Where's the difference?

PS: Internally, we highlight differences in error code and the documentation code that was probably already merged in the PR by Eric. Confirm and delete the internal note.

PS2: It seems the internal table is not current also for other libraries (e.g. GnuTLS).

zacikpa commented 2 years ago

I've just updated the internal OpenSSL table. It's now up to date with the library.

PS2: It seems the internal table is not current also for other libraries (e.g. GnuTLS).

It gets a bit tricky here. As an example, GnuTLS returns GNUTLS_­E_­ASN1_­DER_­ERROR for one of our certificates, so I included it in the web. However, this is a general parsing error, not necessarily related to certs. GnuTLS doesn't list it among other X.509 related errors. Do we want all such errors in our tables as well?

mukrop commented 2 years ago

I've just updated the internal OpenSSL table. It's now up to date with the library.

Thanks. What caused the differences? Did the OpenSSL devs add some?

PS2: It seems the internal table is not current also for other libraries (e.g. GnuTLS).

It gets a bit tricky here. As an example, GnuTLS returns GNUTLS_­E_­ASN1_­DER_­ERROR for one of our certificates, so I included it in the web. However, this is a general parsing error, not necessarily related to certs. GnuTLS doesn't list it among other X.509 related errors. Do we want all such errors in our tables as well?

I see. I'm not 100% convinced, though I'd probably prefer adding them internally as well (possibly with a note or under a line denoting them). What do you think?