[gnutls-devel] GnuTLS | Name Constraints applied to intermediate CA CN because CA certificate does not have Extended key usage (2.5.29.37) (#776)
Development of GNU's TLS library
gnutls-devel at lists.gnutls.org
Wed Jul 17 07:58:05 CEST 2019
Luiz Angelo Daros de Luca commented:
> (3) I'm not sure whether that adds any value. What is the actual problem you are pointing? Are there valid certificate chains that will fail this name constraints check?
You can have a server certificate without a SubAltName.DNS and with an not DNS-usable CN value. OpenVPN, for example, does not validate certificate name by default. It is common to have VPN server with something like: "CN=Server" or even "CN=VPN Server". As this CN is not an usable DNS name (does not have a dot), you can skip DNS name constraint test. Windows and OpenSSL does not reject with it but gnutls will reject it.
--
Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/776#note_192632005
You're receiving this email because of your account on gitlab.com.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnutls-devel/attachments/20190717/45c0943b/attachment.html>
More information about the Gnutls-devel
mailing list