[gnutls-devel] GnuTLS | Name constraints apply to CN when no SubAltName.DNS is present and the CN is not a valid DNS name (#776)

Development of GNU's TLS library gnutls-devel at lists.gnutls.org
Wed Dec 4 21:42:00 CET 2019




Nikos Mavrogiannopoulos commented:


After some thought, I am not sure we should fix this. The reason is that we apply name constrains on CN only for certificates marked as WWW server that have no DNSname field. That we assume that a web server certificate which has no DNSname, it must have a DNS name in the CN field. I find that a reasonable assumption and a work-around is  easy; don't mark the end certificate as a WWW server one. As such, I do not think we should consider a fix without a more concrete issue presented.

Note that a similar issue was reported to NSS, but that was an issue because NSS applied the constrains to CN for all end-entity certificates, not only the web server ones.
https://frasertweedale.github.io/blog-redhat/posts/2019-01-29-name-constraints.html

-- 
Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/776#note_254826143
You're receiving this email because of your account on gitlab.com.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnutls-devel/attachments/20191204/28960b6b/attachment.html>


More information about the Gnutls-devel mailing list