[gnutls-devel] GnuTLS | Missing Subject Alternative Name Type - registeredID (#905)

Development of GNU's TLS library gnutls-devel at lists.gnutls.org
Sat Jan 11 21:53:29 CET 2020 


Markus Weber created an issue: https://gitlab.com/gnutls/gnutls/issues/905



## Description of problem:  
The Type "Registered ID" with Index Nr. 8 is missing in the GnuTLS-Build of Debian 10.2 (Buster).
https://www.alvestrand.no/objectid/2.5.29.17.html

This prevents the Connection of wget to ElasticSearch secured with SearchGuard
https://docs.search-guard.com/latest/tls-in-production

## Version of gnutls used:
# apt search gnutls | grep installed
libcurl3-gnutls/stable,stable,now 7.64.0-4 amd64 [installed,automatic]
libgnutls30/stable,stable,now 3.6.7-4 amd64 [installed]
libsoup2.4-1/stable,stable,now 2.64.2-2 amd64 [installed,automatic]
python3-pycurl/stable,stable,now 7.43.0.2-0.1 amd64 [installed,automatic]

## Distributor of gnutls (e.g., Ubuntu, Fedora, RHEL)
Debian 10.2 (buster)

## How reproducible:
wget against a https-Server, which has a Certificate, that uses a custom oid in the "Subject Alternative Name"-Field

## Actual results:
/usr/lib/nagios/plugins/check_elasticsearch -H server.fqdn -u user -p password -c /etc/ssl/certs/elasticsearch-CA.pem -s -N -V
--2020-01-11 20:16:09--  https://server:9200/_cluster/health?pretty=true
Loaded CA certificate '/etc/ssl/certs/elasticsearch-CA.pem'
Resolving server.fqdn (server.fqdn)... 1.2.3.4
Connecting to server.fqdn (server.fqdn)|1.2.3.4|:9200... connected.
GnuTLS: Unknown Subject Alternative name in X.509 certificate.
Unable to establish SSL connection.
CRITICAL - Could not connect to server server.fqdn

## Expected results:
>From another System with Debian 9.11
/usr/lib/nagios/plugins/check_elasticsearch -H server.fqdn -u user -p password -c /etc/ssl/certs/elasticsearch-CA.pem -s -N -V
--2020-01-11 20:45:37--  https://server.fqdn:9200/_cluster/health?pretty=true
Loaded CA certificate '/etc/ssl/certs/elasticsearch-CA.pem'
Resolving server.fqdn (server.fqdn)... 1.2.3.4
Connecting to de1app3.doitll.com (server.fqdn)|1.2.3.4|:9200... connected.
HTTP request sent, awaiting response... 401 Unauthorized
Authentication selected: Basic realm="Search Guard"
Reusing existing connection to [server.fqdn]:9200.
HTTP request sent, awaiting response... 200 OK
Length: 462 [application/json]
Saving to: ‘/tmp/tmp.dV2lmBXb4g-check_elasticsearch’

/tmp/tmp.dV2lmBXb4g-check_elasticsearch                      100%[=============================================================================================================================================>]     462  --.-KB/s    in 0s      

2020-01-11 20:45:38 (15.4 MB/s) - ‘/tmp/tmp.dV2lmBXb4g-check_elasticsearch’ saved [462/462]

OK - elasticsearch (cluster) is running. status: green; timed_out: false; ...

-- 
Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/905
You're receiving this email because of your account on gitlab.com.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnutls-devel/attachments/20200111/2bf3385c/attachment.html>

More information about the Gnutls-devel mailing list