[gnutls-devel] turkish CA certificate

Ludwig Nussel ludwig.nussel at suse.de
Fri Jun 6 15:59:51 CEST 2014

Nikos Mavrogiannopoulos wrote:
> On Fri, Jun 6, 2014 at 8:53 AM, Dmitriy Anisimkov <anisimkov at ada-ru.org> wrote:
>> I got this certificate from OpenSUSE repository
>> packageca-certificates-mozilla,
>> I guess it is trusted and public available.
>> OpenSSL shows it correctly
>> openssl x509 -in TURKTRUST_Certificate_Services_Provider_Root_1.pem.crt
>> -text -noout
>> But GNUTLS command
>> certtool --infile TURKTRUST_Certificate_Services_Provider_Root_1.pem -i
> Hello,
>   This must be the same certificate Kurt reported few days ago. It
> mis-encodes the country name as UTF8String rather than printable
> string, and this is the reason decoding fails.
> RFC5280 is strict on the encoding of countryName and that is a PrintableString:
> X520countryName ::=     PrintableString (SIZE (2))
> I guess all other implementations give some slack to the spec and
> that's why they didn't notice. How important is that certificate would
> it make sense to work around and allow such invalid encodings?

If the certificate violates the spec it might also be worth reporting to
mozilla so they don't accept such certificates in the first place.


  (o_   Ludwig Nussel
  V_/_  http://www.suse.de/
SUSE LINUX Products GmbH, GF: Jeff Hawn, Jennifer Guild, Felix Imendörffer, HRB 16746 (AG Nürnberg)

More information about the Gnutls-devel mailing list