[gnutls-devel] gnutls 3.5.6

Daniel P. Berrange berrange at redhat.com
Fri Nov 11 11:07:30 CET 2016


On Fri, Nov 04, 2016 at 08:28:02AM +0100, Nikos Mavrogiannopoulos wrote:
> Hello, 
>  I've just released gnutls 3.5.6. This is an enhancements and
> bugfix release for the 3.5.x branch.
> 
> 
> * Version 3.5.6 (released 2016-11-04)
> 
> ** libgnutls: Enhanced the PKCS#7 parser to allow decoding old
>    (pre-rfc5652) structures with arbitrary encapsulated content.
> 
> ** libgnutls: Introduced a function group to set known DH parameters
>    using groups from RFC7919.
> 
> ** libgnutls: Added more strict RFC4514 textual DN encoding and decoding.
>    Now the generated textual DN is in reverse order according to RFC4514,
>    and functions which generate a DN from strings such gnutls_x509_crt_set_*dn()
>    set the expected DN (reverse of the provided string).

IIUC, this is responsible for a change in behaviour seen by libvirt.
Previously the client cert DN would get reported as

    C=UK,CN=libvirt

and with new version we're getting back

    CN=libvirt,C=UK

This is causing a regression for libvirt. The libvirt server has ablity
to set a whitelist against the DN string, against which we do a regex
match.

eg the sysadmin may have defined a whitelist of

    C=UK,CN=libvirt-client-*

to allow all certs issed to libvirt clients.

This change in DN ordering by gnutls breaks any existing whitelists
our admins have setup, as well as breaking the libvirt test suite
which validates this.

Regards,
Daniel
-- 
|: http://berrange.com      -o-    http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org              -o-             http://virt-manager.org :|
|: http://entangle-photo.org       -o-    http://search.cpan.org/~danberr/ :|



More information about the Gnutls-devel mailing list