[gnutls-devel] DER decoding errors due to time format

Daniel P. Berrange berrange at redhat.com
Wed May 10 11:12:43 CEST 2017


On Tue, May 09, 2017 at 08:26:55PM +0200, Nikos Mavrogiannopoulos wrote:
> On Tue, 2017-05-09 at 14:04 +0100, Daniel P. Berrange wrote:
> > On Tue, May 09, 2017 at 02:48:08PM +0200, Nikos Mavrogiannopoulos
> > wrote:
> > > Hi,
> > >  gnutls 3.5.x is more strict in certificate decoding and performs
> > > various checks in the Time fields to ensure they are properly DER
> > > formatted. However, it is seems that this caused regressions with
> > > certain certificates generated by ovirt as seen in [0]. I am not
> > > sure
> > > which software was used to generate the problematic ones, however,
> > > it
> > > is most likely openssl, or some other open source software. Are you
> > > aware of other or similar decoding issues which were a result of
> > > 3.5.x
> > > being more strict in DER rules?
> > > 
> > > The options we have are:
> > >  1. Ignore the error and insist on DER correctness in input
> > > certificates.
> > >  2. Allow incorrect formatted time fields in certificates
> > > unconditionally, e.g., with a special libtasn1 flag:
> > > https://gitlab.com/gnutls/libtasn1/commit/16bad0c72dcdfbe5512cdd6b4
> > > 6b251ab7484e5dc
> > > 
> > > any other option I've missed? While I favor the first for its
> > > simplicity, reality has shown over the years we must yield towards
> > > the
> > > 'work' part.
> > 
> > Have you succeeded in getting any contact with oVirt community to
> > find
> > out how they are generating their certs ? That might give some
> > clarity
> > on whether it is just a minor bug in their code, vs following common/
> > wide practice. It isn't clear if it even affects all oVirt users or
> > just some subset of them, vs likely to affect large numbers of non-
> > oVirt users too
> 
> Seems like a good point. I wouldn't know where to ask. Any suggestions?

Simplest is probably to ping #ovirt channel on irc.oftc.net  [1]

Regards,
Daniel

[1] https://www.ovirt.org/community/
-- 
|: https://berrange.com      -o-    https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org         -o-            https://fstop138.berrange.com :|
|: https://entangle-photo.org    -o-    https://www.instagram.com/dberrange :|



More information about the Gnutls-devel mailing list