[gnutls-devel] DER decoding errors due to time format

Nikos Mavrogiannopoulos n.mavrogiannopoulos at gmail.com
Tue May 9 14:48:08 CEST 2017


Hi,
 gnutls 3.5.x is more strict in certificate decoding and performs
various checks in the Time fields to ensure they are properly DER
formatted. However, it is seems that this caused regressions with
certain certificates generated by ovirt as seen in [0]. I am not sure
which software was used to generate the problematic ones, however, it
is most likely openssl, or some other open source software. Are you
aware of other or similar decoding issues which were a result of 3.5.x
being more strict in DER rules?

The options we have are:
 1. Ignore the error and insist on DER correctness in input certificates.
 2. Allow incorrect formatted time fields in certificates
unconditionally, e.g., with a special libtasn1 flag:
https://gitlab.com/gnutls/libtasn1/commit/16bad0c72dcdfbe5512cdd6b46b251ab7484e5dc

any other option I've missed? While I favor the first for its
simplicity, reality has shown over the years we must yield towards the
'work' part.

regards,
Nikos

[0]. https://gitlab.com/gnutls/gnutls/issues/196



More information about the Gnutls-devel mailing list