[gnutls-devel] GnuTLS | GnuTLS allows version one and two certificates in TLS 1.2 during client authentication (#1030)

Development of GNU's TLS library gnutls-devel at lists.gnutls.org
Thu Jun 11 15:04:31 CEST 2020 


Immortalem created an issue: https://gitlab.com/gnutls/gnutls/-/issues/1030



## Description of problem:
The specification for TLS 1.2 ([RFC 5246](https://tools.ietf.org/html/rfc5246#section-7.4.6)) requires the usage of X.509v3 certificates for entity authentication. GnuTLS allows the usage of version one and two certificates.

## Version of gnutls used:
3.6.13, 3.6.14

## Distributor of gnutls (e.g., Ubuntu, Fedora, RHEL)
Compiled from source after cloning the respective branch from GitHub


## How reproducible:

Steps to Reproduce:

 * Start `gnutls-serv` with 
    - [ROOTv3_CAv3_LEAF_RSAv3__leaf_certificate1.pem](/uploads/8e79d085d9f7ada8e9f088c0b21f268d/ROOTv3_CAv3_LEAF_RSAv3__leaf_certificate1.pem) for `--x509certfile`
    - [rsakey_2.pem](/uploads/27f047de54220503eca641dde9f9bb2e/rsakey_2.pem) for `--x509keyfile`
    - [root.pem](/uploads/b080bace5ded73971868664aa18d6dc0/root.pem) for `--x509cafile`
    - require client certificate `-r`
    - verify client certificate `--verify-client-cert`
 * Use OpenSSL `s_client` or similar tool to connect to the server using the following two certificates. This example uses OpenSSL.
    - `openssl s_client -connect localhost:4433 -cert ROOTv3_CAv3_LEAF_RSAv2__leaf_certificate1.pem -key rsakey_2.pem -CAfile ROOTv3_CAv3_LEAF_RSAv2__ca_certificate1.pem`
    - [ROOTv3_CAv3_LEAF_RSAv2__leaf_certificate1.pem](/uploads/ba0ef0d0e622226b559446b45fe16c4e/ROOTv3_CAv3_LEAF_RSAv2__leaf_certificate1.pem)
    - [ROOTv3_CAv3_LEAF_RSAv2__ca_certificate1.pem](/uploads/644009f2a69240eba7908169940591ab/ROOTv3_CAv3_LEAF_RSAv2__ca_certificate1.pem)
    - [rsakey_2.pem](/uploads/27f047de54220503eca641dde9f9bb2e/rsakey_2.pem)

For version one the certificates are:
- [ROOTv3_CAv3_LEAF_RSAv1__leaf_certificate1.pem](/uploads/322173f1e006247727e5961fec128c5a/ROOTv3_CAv3_LEAF_RSAv1__leaf_certificate1.pem)
- [ROOTv3_CAv3_LEAF_RSAv1__ca_certificate1.pem](/uploads/290501bc7cf402d9101ed35d7af45378/ROOTv3_CAv3_LEAF_RSAv1__ca_certificate1.pem)
- [rsakey_2.pem](/uploads/27f047de54220503eca641dde9f9bb2e/rsakey_2.pem)



## Actual results:
GnuTLS accepts the certificates as valid and proceeds with the handshake.

## Expected results:
GnuTLS should reject the certificates and abort the handshake.

-- 
Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1030
You're receiving this email because of your account on gitlab.com.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnutls-devel/attachments/20200611/2ae295f9/attachment-0001.html>

More information about the Gnutls-devel mailing list