[gnutls-devel] GnuTLS | GnuTLS appects a cert with critical issuerAltName (#1163)

Read-only notification of GnuTLS library development activities gnutls-devel at lists.gnutls.org
Tue Jan 26 08:36:08 CET 2021



GOODPWDCETCSZ created an issue: https://gitlab.com/gnutls/gnutls/-/issues/1163



## Description of problem:
GnuTLS appects a cert with critical issuerAltName. However, OpenSSL, mbedTLS, wolfSSL, and NSS reject it. According to RFC 5280, the ext issuerAltName should be marked as non-critical.

## Version of gnutls used:

3.5.5, 3.6.13

## Distributor of gnutls (e.g., Ubuntu, Fedora, RHEL)

Ubuntu x64

## How reproducible:

Steps to Reproduce:

 * `certtool -i --infile seed-73s19-723s32 .pem`

## Actual results:
```
Chain verification output: Verified. The certificate is trusted. 
```

## Expected results:

The cert is rejected due to its critical issuerAltName.

## Attachement

[seed-73s19-723s32.zip](/uploads/3735b2a160f0ef1b93ce3cf24203660e/seed-73s19-723s32.zip)

-- 
Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1163
You're receiving this email because of your account on gitlab.com.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnutls-devel/attachments/20210126/e43ab22e/attachment.html>


More information about the Gnutls-devel mailing list