## Description of problem: When trying to verify a certificate chain using the `certtool --verify` command, with certificates, that contain a larger number of SANs and Name Constraints, GnuTLS tries to verify all of them, without any bound on the quantity of those fields. Using those crafted malicious certificate, GnuTLS is vulnerable to DoS attacks by excessive usage of CPU and memory. ## Version of gnutls used: 3.8.11 ## How reproducible: Steps to Reproduce: ```bash certtool --verify --load-ca-certificate=ca_rsa.crt --infile=chain.pem ``` ## Results: Using the `top` command, to monitor CPU and memory consumbition, we see that CPU usage quickly reaches 100%, and memory consumption is monotonically increasing without any upper bound. [ca_rsa.crt](/uploads/cc4cb3bc483ba8a9afd8275e38330860/ca_rsa.crt) [chain.pem](/uploads/cb2a95a9c3ce192e00cd849864246cfc/chain.pem) I'm not sure about the confidentiality, but I would also be happy to make this public. If you need any more information just let me know.