gnutls fails to use Verisign CA cert without a Basic Constraint

Simon Josefsson simon at josefsson.org
Fri Jan 9 17:54:10 CET 2009


"Douglas E. Engert" <deengert at anl.gov> writes:

> Simon Josefsson wrote:
>> Simon Josefsson <simon at josefsson.org> writes:
>>
>>> "Douglas E. Engert" <deengert at anl.gov> writes:
>>>
>>>> Attached are the server cert (auth2.it.anl.gov), the intermediate cert (f0a38a80.0)
>>>> and the CA self signed cert (7651b327.0)
>>> Thanks, I can reproduce the problem.  Should be fixed with this patch:
>>>
>>>  http://git.savannah.gnu.org/cgit/gnutls.git/commit/
>>
>> Sorry, that link was wrong.  For the 2.6.x branch the proper link is:
>>
>> http://git.savannah.gnu.org/gitweb/?p=gnutls.git;a=commitdiff;h=423fc8b82f2b9aa3ea820cd5cf75d5813dffbbf0
>>
>> Please test the patch and confirm whether or not it works for you.  I
>> think we should do a new 2.6.x release to deal with this.
>
> I tried the patch against the Ubuntu version, but it still fails. Looking
> at 2.6.3 and the Ubuntu version I don't see any differences in this area.
>
>
> When using ldasearch, gnutls_x509_crl_verify is called with flags=0.
>
> I don't see where GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT or
> GNUTLS_VERIFY_ALLOW_ANY_X509_V1_CA_CRT are set.

The default is to reject V1 CA's, so the application need to supply
either flag if they want a particular behaviour.

By default, gnutls_x509_crt_list_verify rejects V1 CAs, but it takes a
flags parameter.  If you call the verification through
gnutls_session_verify_peers, you can use the
gnutls_certificate_set_verify_flags function to set the flags to use
(like cli.c does).

> I do see that the src/cli.c in the init_global_tls_stuff but cli.c is
> a test program(?) and  not part of the lib.
>
> I do see that in 2.6.3 lib/x509/verify.c will XOR?
> it at line 444 (2.6.3 version) flags ^= GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT;
> But that is too late,
> as _gnutls_verify_certificate2 is called at line 402 with flags=0.
>
> Also should line 444 be |= rather the ^= ?

That code is meant to _remove_ the GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT
flag from the flags parameter, unless
GNUTLS_VERIFY_ALLOW_ANY_X509_V1_CA_CRT is set.

/Simon

>
>>
>> The latest daily build contains all fixes, so everyone, please test this
>> as if it were a new 2.6.x release:
>>
>> http://daily.josefsson.org/gnutls-2.6/gnutls-2.6-20090109.tar.gz
>>
>> It is a good time to raise other problems with 2.6.x now.
>>
>> Thanks,
>> /Simon
>>
>>
>
> -- 
>
>  Douglas E. Engert  <DEEngert at anl.gov>
>  Argonne National Laboratory
>  9700 South Cass Avenue
>  Argonne, Illinois  60439
>  (630) 252-5444





More information about the Gnutls-devel mailing list