[gnutls-devel] turkish CA certificate
home_pw at msn.com
Fri Jun 6 18:14:39 CEST 2014
More likely its a signature for traffic isolation.
Sent from my Windows Phone
From: Kurt Roeckx<mailto:kurt at roeckx.be>
Sent: 6/6/2014 9:12 AM
To: Ludwig Nussel<mailto:ludwig.nussel at suse.de>
Cc: gnutls-devel at lists.gnutls.org<mailto:gnutls-devel at lists.gnutls.org>
Subject: Re: [gnutls-devel] turkish CA certificate
On Fri, Jun 06, 2014 at 03:59:51PM +0200, Ludwig Nussel wrote:
> Nikos Mavrogiannopoulos wrote:
> >On Fri, Jun 6, 2014 at 8:53 AM, Dmitriy Anisimkov <anisimkov at ada-ru.org> wrote:
> >>I got this certificate from OpenSUSE repository
> >>I guess it is trusted and public available.
> >>OpenSSL shows it correctly
> >>openssl x509 -in TURKTRUST_Certificate_Services_Provider_Root_1.pem.crt
> >>-text -noout
> >>But GNUTLS command
> >>certtool --infile TURKTRUST_Certificate_Services_Provider_Root_1.pem -i
> > This must be the same certificate Kurt reported few days ago. It
> >mis-encodes the country name as UTF8String rather than printable
> >string, and this is the reason decoding fails.
> >RFC5280 is strict on the encoding of countryName and that is a PrintableString:
> >X520countryName ::= PrintableString (SIZE (2))
> >I guess all other implementations give some slack to the spec and
> >that's why they didn't notice. How important is that certificate would
> >it make sense to work around and allow such invalid encodings?
> If the certificate violates the spec it might also be worth reporting to
> mozilla so they don't accept such certificates in the first place.
This is actually on my list of things to do. I think have found a
2nd issuer but didn't have time to look at it yet.
Gnutls-devel mailing list
Gnutls-devel at lists.gnutls.org
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Gnutls-devel