[gnutls-devel] GnuTLS | Valid CA certificate rejected by GnuTLS (#693)

Development of GNU's TLS library gnutls-devel at lists.gnutls.org
Mon Feb 4 20:51:27 CET 2019

New Issue was created.

Issue 693: https://gitlab.com/gnutls/gnutls/issues/693
Author:    Tavis Ormandy

## Description of problem:

The routine gnutls_certificate_set_x509_trust_file() fails if the valid certificate [SSL Blindado PRO EV](https://crt.sh/?q=d6dc2aaea926ff94854e7d3eb310c6349714e8e6) is in the specified file.

## Version of gnutls used:


## Distributor of gnutls (e.g., Ubuntu, Fedora, RHEL)

Built from source.

## How reproducible:

Steps to Reproduce:

 * Compile this program:

#include <gnutls/gnutls.h>
#include <gnutls/x509.h>
#include <stdio.h>

int main(int argc, char **argv)
    gnutls_certificate_credentials_t cred;
    int count;
    count = gnutls_certificate_set_x509_trust_file(cred, "cafile.pem", GNUTLS_X509_FMT_PEM);
    fprintf(stderr, "GnuTLS processed %d roots\n", count);
    return 0;

`$ gcc $(pkg-config --cflags --libs gnutls) testcase.c`

 * Download the certificate: `$ wget -O cafile.pem https://crt.sh/?d=12730101`
 * Observe error code: `$ ./a.out`

## Actual results:
$ ./a.out 
GnuTLS processed -43 roots

## Expected results:

$ ./a.out 
GnuTLS processed 1 roots


Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/693
You're receiving this email because of your account on gitlab.com.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnutls-devel/attachments/20190204/c0b8d620/attachment-0001.html>

More information about the Gnutls-devel mailing list