[gnutls-devel] cert verificaion failure with 3.1.8

[James Cloos]

I just tested gnutls-cli to one of my servers, and where deb's 3.0.22
worked, gentoo's 3.1.8 failed.

The cert has the bare domain in CN, and both that and a wildcard in subj
alt name.  Ie, akin to:

  CN=example.com
  SubjAltName:DNSName=example.com
  SubjAltName:DNSName=example.com
  SubjAltName:DNSName=*.example.com

(Yes, it is doubled, certtool(1) must add the CN the SubjAltName on its
own, even when it is explicitly entered at the prompt?)

3.1.8 balked at verifying the cert, looking only at the CN.  Or maybe
giving up because of the doubled DNS Names?

I don't recall this from 3.1.7, but the wildcard cert is new on that box
and I may have ugraded to 3.1.8 before adding it.

The server in question has only that cert, so sni should be an issue, yes?

3.0.22 prints:

- The hostname in the certificate matches 'host.example.com'.

whereas 3.1.8 does not, even for a server/cert tuple they both do verify.

Otherwise, for tuples which they both verify or fail, the output of the
two versions contains the same data.

3.1.8 does work when the wildcard is in the CN, such as with google.com
or code.google.com (which, unlike www.google.com, seem to use the same
wildcard cert with CN=*.google.com and many dns names in subjaltname,
including *.google.com and google.com).

For comparison, openssl-1.0.1c's s_client is happy with the wildcard in
the subjaltname.

Is there a best practices note on a cert for both the bare domain and a
wildcard thereunder?  Last I tried apache's mod_ssl insisted on the CN
matching the virtual's ServerName, although nginx seems happy with the
servername only in subjaltname. ???

-JimC
-- 
James Cloos <cloos at jhcloos.com>         OpenPGP: 1024D/ED7DAEA6