Certificate expiration not checked by gnutls-cli [GNUTLS-SA-2009-3] [CVE-2009-1417]

Andreas Metzler ametzler at downhill.at.eu.org
Sun Jan 17 09:37:12 CET 2010 

Ping?

On 2010-01-09 Andreas Metzler <ametzler at downhill.at.eu.org> wrote:
> On 2009-04-30 Simon Josefsson <simon at josefsson.org> wrote:
> [...]
> > We have set up three demo URLs with expired certificates for testing
> > purposes:

> > https://expired.demo.gnutls.org/ - Expired server certificate
> [...]
> > You can test them like this:

> > jas at mocca:~$ gnutls-cli expired.demo.gnutls.org
> > Resolving 'expired.demo.gnutls.org'...
> > Connecting to '207.192.75.61:443'...
> > - Ephemeral Diffie-Hellman parameters
> >  - Using prime: 2056 bits
> >  - Secret key: 2047 bits
> >  - Peer's public key: 2048 bits
> > - Certificate type: X.509
> >  - Got a certificate list of 1 certificates.

> >  - Certificate[0] info:
> >  # The hostname in the certificate matches 'expired.demo.gnutls.org'.
> >  # valid since: Wed Apr 22 00:00:58 CEST 2009
> >  # expires at: Thu Apr 23 00:00:58 CEST 2009
> >  # fingerprint: 97:B9:94:8C:4F:29:31:56:CD:85:9F:8D:D5:4E:D2:4E
> >  # Subject's DN: CN=expired.demo.gnutls.org
> >  # Issuer's DN: O=CA for expired.demo.gnutls.org
> >  # error: certificate has expired
> > jas at mocca:~$ 

> > The expected behaviour is that gnutls-cli should complain that the
> > certificate has expired for all URLs.
> [...]
> >        if (status & GNUTLS_CERT_SIGNER_NOT_FOUND)
> >  	printf ("- Peer's certificate issuer is unknown\n");
> > +      if (status & GNUTLS_CERT_NOT_ACTIVATED)
> > +	printf ("- Peer's certificate chain uses not yet valid certificate\n");
> > +      if (status & GNUTLS_CERT_EXPIRED)
> > +	printf ("- Peer's certificate chain uses expired certificate\n");
> >        if (status & GNUTLS_CERT_INVALID)
> >  	printf ("- Peer's certificate is NOT trusted\n");
> >        else


> Hello,

> this test does not work for me with any version of gnutls. There is no
> "error: certificate has expired" or even "Peer's certificate chain
> uses expired certificate".

> 2.4.2+patch:
> ametzler at argenau:~$ gnutls-cli expired.demo.gnutls.org
> Resolving 'expired.demo.gnutls.org'...
> Connecting to '207.192.75.61:443'...
> - Ephemeral Diffie-Hellman parameters
>  - Using prime: 2056 bits
>  - Secret key: 2039 bits
>  - Peer's public key: 2048 bits
> - Certificate type: X.509
>  - Got a certificate list of 1 certificates.

>  - Certificate[0] info:
>  # The hostname in the certificate matches 'expired.demo.gnutls.org'.
>  # valid since: Wed Apr 22 00:00:58 CEST 2009
>  # expires at: Thu Apr 23 00:00:58 CEST 2009
>  # fingerprint: 97:B9:94:8C:4F:29:31:56:CD:85:9F:8D:D5:4E:D2:4E
>  # Subject's DN: CN=expired.demo.gnutls.org
>  # Issuer's DN: O=CA for expired.demo.gnutls.org


> - Peer's certificate issuer is unknown
> - Peer's certificate is NOT trusted
> - Version: TLS1.1
> - Key Exchange: DHE-RSA
> - Cipher: AES-128-CBC
> - MAC: SHA1
> - Compression: NULL
> - Handshake was completed

> 2.8.5
> (SID)ametzler at argenau:~$ gnutls-cli expired.demo.gnutls.org
> Resolving 'expired.demo.gnutls.org'...
> Connecting to '207.192.75.61:443'...
> - Ephemeral Diffie-Hellman parameters
>  - Using prime: 2048 bits
>  - Secret key: 2047 bits
>  - Peer's public key: 2048 bits
> - Certificate type: X.509
>  - Got a certificate list of 1 certificates.
>  - Certificate[0] info:
>   - subject `CN=expired.demo.gnutls.org', issuer `O=CA for expired.demo.gnutls.org', RSA key 2048 bits, signed using RSA-SHA, activated `2009-04-21 22:00:58 UTC', expires `2009-04-22 22:00:58 UTC', SHA-1 fingerprint `55f198f9ff1777e9f202e1ac268fe8946f0c84b9'
> - The hostname in the certificate matches 'expired.demo.gnutls.org'.
> - Peer's certificate issuer is unknown
> - Peer's certificate is NOT trusted
> - Version: TLS1.1
> - Key Exchange: DHE-RSA
> - Cipher: AES-128-CBC
> - MAC: SHA1
> - Compression: NULL
> - Handshake was completed

> 2.9.9:
> (SID)ametzler at argenau:~$ gnutls-cli expired.demo.gnutls.org
> Resolving 'expired.demo.gnutls.org'...
> Connecting to '207.192.75.61:443'...
> - Ephemeral Diffie-Hellman parameters
>  - Using prime: 2048 bits
>  - Secret key: 2045 bits
>  - Peer's public key: 2045 bits
> - Certificate type: X.509
>  - Got a certificate list of 1 certificates.
>  - Certificate[0] info:
>   - subject `CN=expired.demo.gnutls.org', issuer `O=CA for expired.demo.gnutls.org', RSA key 2048 bits, signed using RSA-SHA1, activated `2009-04-21 22:00:58 UTC', expires `2009-04-22 22:00:58 UTC', SHA-1 fingerprint `55f198f9ff1777e9f202e1ac268fe8946f0c84b9'
> - The hostname in the certificate matches 'expired.demo.gnutls.org'.
> - Peer's certificate issuer is unknown
> - Peer's certificate is NOT trusted
> - Version: TLS1.1
> - Key Exchange: DHE-RSA
> - Cipher: AES-128-CBC
> - MAC: SHA1
> - Compression: NULL
> - Handshake was completed

> cu andreas
-- 
`What a good friend you are to him, Dr. Maturin. His other friends are
so grateful to you.'
`I sew his ears on from time to time, sure'

More information about the Gnutls-devel mailing list