[gnutls-devel] GnuTLS | Can't connect to websites with the certificate "TWCA Global Root CA" in the chain due to missing subject key identifier (#569)
Development of GNU's TLS library
gnutls-devel at lists.gnutls.org
Thu Sep 20 16:23:36 CEST 2018
New Issue was created.
Issue 569: https://gitlab.com/gnutls/gnutls/issues/569
Author: Chih-Hsuan Yen
## Description of problem:
Programs using GnuTLS, including `gnutls-cli` and WebKitGTK-based browsers (e.g., GNOME epiphany), can't connect to websites with the certificate "TWCA Global Root CA" in the chain.
Take www.ntu.edu.tw as an example. In the server-provided certificate chain, the first intermediate CA "TWCA Secure SSL Certification Authority" has authority key identifier `48:db:cd:de:8e:e9:49:72:5a:88:e8:b1:d8:3d:07:b3:b9:6b:66:50`. The second intermediate CA in the chain "TWCA Global Root CA" has the matching subject key identifier `48:db:cd:de:8e:e9:49:72:5a:88:e8:b1:d8:3d:07:b3:b9:6b:66:50`, so ideally there are no problems.
The problem is, on Arch Linux, GnuTLS is configured to use p11-kit for checking certificate chains . Also, `certdata.txt` from Mozilla NSS is used as the default trust store. In certdata.txt, the certificate "TWCA Global Root CA" is also included as a trusted CA, and the corresponding certificate does not have a subject key identifier. As a result, `_gnutls_check_valid_key_id()` fails.
A workaround is removing "TWCA Global Root CA" from the system trust store. After that all GnuTLS-based programs work just fine.
## Version of gnutls used:
## Distributor of gnutls (e.g., Ubuntu, Fedora, RHEL)
## How reproducible:
Steps to Reproduce:
* P11_KIT_DEBUG=all gnutls-cli -d 3 www.ntu.edu.tw
* P11_KIT_DEBUG=all gnutls-cli -d 3 www.citi.sinica.edu.tw
* P11_KIT_DEBUG=all gnutls-cli -d 3 www.twca.com.tw
## Actual results:
Output for www.ntu.edu.tw: [output.txt](/uploads/796b58219bc3c3012fa97c83fae990a6/output.txt)
The other two websites yields similar results.
## Expected results:
gnutls-cli connects to the specified website and waits for input.
Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/569
You're receiving this email because of your account on gitlab.com.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Gnutls-devel