[gnutls-devel] GnuTLS | Name Constraints applied to intermediate CA CN because CA certificate does not have Extended key usage ( (#776)

Development of GNU's TLS library gnutls-devel at lists.gnutls.org
Wed Jul 17 07:58:05 CEST 2019

Luiz Angelo Daros de Luca commented:

> (3) I'm not sure whether that adds any value. What is the actual problem you are pointing? Are there valid certificate chains that will fail this name constraints check?

You can have a server certificate without a SubAltName.DNS and with an not DNS-usable CN value. OpenVPN, for example, does not validate certificate name by default. It is common to have VPN server with something like: "CN=Server" or even "CN=VPN Server". As this CN is not an usable DNS name (does not have a dot), you can skip DNS name constraint test. Windows and OpenSSL does not reject with it but gnutls will reject it.

Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/776#note_192632005
You're receiving this email because of your account on gitlab.com.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnutls-devel/attachments/20190717/45c0943b/attachment.html>

More information about the Gnutls-devel mailing list