Patric Hornik reports on a problem in the certificate chain
verification procedures of GnuTLS that may result in a
denial-of-service vulnerability:
The certificate chain should be verified from last root
certificate to the first certificate. Otherwise a lot
of unauthorized CPU processing can be forced to check
certificate signatures signed with arbitrary RSA/DSA keys
chosen by attacker.
In GnuTLS the signatures are checked from first to last
certificate, there is no limit on size of keys and no
limit on length of certificate chain.