[gnutls-devel] turkish CA certificate

Peter Williams home_pw at msn.com
Fri Jun 6 18:14:39 CEST 2014

More likely its a signature for traffic isolation.

Sent from my Windows Phone
From: Kurt Roeckx<mailto:kurt at roeckx.be>
Sent: ‎6/‎6/‎2014 9:12 AM
To: Ludwig Nussel<mailto:ludwig.nussel at suse.de>
Cc: gnutls-devel at lists.gnutls.org<mailto:gnutls-devel at lists.gnutls.org>
Subject: Re: [gnutls-devel] turkish CA certificate

On Fri, Jun 06, 2014 at 03:59:51PM +0200, Ludwig Nussel wrote:
> Nikos Mavrogiannopoulos wrote:
> >On Fri, Jun 6, 2014 at 8:53 AM, Dmitriy Anisimkov <anisimkov at ada-ru.org> wrote:
> >>I got this certificate from OpenSUSE repository
> >>packageca-certificates-mozilla,
> >>I guess it is trusted and public available.
> >>OpenSSL shows it correctly
> >>openssl x509 -in TURKTRUST_Certificate_Services_Provider_Root_1.pem.crt
> >>-text -noout
> >>But GNUTLS command
> >>certtool --infile TURKTRUST_Certificate_Services_Provider_Root_1.pem -i
> >
> >Hello,
> >  This must be the same certificate Kurt reported few days ago. It
> >mis-encodes the country name as UTF8String rather than printable
> >string, and this is the reason decoding fails.
> >RFC5280 is strict on the encoding of countryName and that is a PrintableString:
> >X520countryName ::=     PrintableString (SIZE (2))
> >
> >I guess all other implementations give some slack to the spec and
> >that's why they didn't notice. How important is that certificate would
> >it make sense to work around and allow such invalid encodings?
> If the certificate violates the spec it might also be worth reporting to
> mozilla so they don't accept such certificates in the first place.

This is actually on my list of things to do.  I think have found a
2nd issuer but didn't have time to look at it yet.


Gnutls-devel mailing list
Gnutls-devel at lists.gnutls.org
-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/attachments/20140606/e7f15b48/attachment.html>

More information about the Gnutls-devel mailing list