[gnutls-devel] DER decoding errors due to time format

Kurt Roeckx kurt at roeckx.be
Thu May 11 18:46:32 CEST 2017


On Wed, May 10, 2017 at 02:07:55PM +0200, Nikos Mavrogiannopoulos wrote:
> On Wed, May 10, 2017 at 2:06 PM, Nikos Mavrogiannopoulos
> <n.mavrogiannopoulos at gmail.com> wrote:
> > On Tue, May 9, 2017 at 8:47 PM, Kurt Roeckx <kurt at roeckx.be> wrote:
> >> On Tue, May 09, 2017 at 02:48:08PM +0200, Nikos Mavrogiannopoulos wrote:
> >>> Hi,
> >>>  gnutls 3.5.x is more strict in certificate decoding and performs
> >>> various checks in the Time fields to ensure they are properly DER
> >>> formatted. However, it is seems that this caused regressions with
> >>> certain certificates generated by ovirt as seen in [0]. I am not sure
> >>> which software was used to generate the problematic ones, however, it
> >>> is most likely openssl, or some other open source software. Are you
> >>> aware of other or similar decoding issues which were a result of 3.5.x
> >>> being more strict in DER rules?
> >>>
> >>> The options we have are:
> >>>  1. Ignore the error and insist on DER correctness in input certificates.
> >>>  2. Allow incorrect formatted time fields in certificates
> >>> unconditionally, e.g., with a special libtasn1 flag:
> >>> https://gitlab.com/gnutls/libtasn1/commit/16bad0c72dcdfbe5512cdd6b46b251ab7484e5dc
> >>>
> >>> any other option I've missed? While I favor the first for its
> >>> simplicity, reality has shown over the years we must yield towards the
> >>> 'work' part.
> >>
> >> NSS is strict in what it accepts. We've recently changed openssl to be
> >> more strict too (commit 80770da39ebba0101079477611b7ce2f426653c5,
> >> https://github.com/openssl/openssl/issues/2620), but maybe not
> >> strict enough yet.
> >
> > Thank you, that is really helpful. It seems that Kurt
> 
> Sorry, I meant to write Tim here!

And today someone filed this in Debian:
https://bugs.debian.org/862335


Kurt




More information about the Gnutls-devel mailing list