[gnutls-devel] GnuTLS | verification error on duplicate server cert in chain (#1335)
Read-only notification of GnuTLS library development activities
gnutls-devel at lists.gnutls.org
Mon Mar 14 18:22:02 CET 2022
Andreas Metzler commented:
Daiki Ueno @dueno · wrote 8 hours ago
> I can't reproduce it with PKCS#11 trust store, so I guess the issue is in the non-PKCS#11 code path in lib/x509/verify-high*.c
Indeed `certtool --infile=/tmp/ci.pem --verify --load-ca-certificate="pkcs11:model=p11-kit-trust;manufacturer=PKCS%2311%20Kit;serial=1;token=System%20Trust"` succeds where `certtool --infile=/tmp/ci.pem --verify` failed. (gnutls built with --with-default-trust-store-file=/etc/ssl/certs/ca-certificates.crt / p11-kit with --with-trust-paths=/etc/ssl/certs/ca-certificates.crt).
ci.debian.net cannot be used as testcase with gnutls-cli anymore, the duplicate cert has been removed from its certificate list.
--
Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1335#note_874071418
You're receiving this email because of your account on gitlab.com.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnutls-devel/attachments/20220314/aa472831/attachment.html>
More information about the Gnutls-devel
mailing list