[gnutls-devel] GnuTLS | GnuTLS incorrectly accepts certificates with mismatched Common Name (CN) during TLS handshake (#1711)

Read-only notification of GnuTLS library development activities gnutls-devel at lists.gnutls.org
Thu May 15 10:52:44 CEST 2025 



Alexander Sosedkin commented: https://gitlab.com/gnutls/gnutls/-/issues/1711#note_2506061901


> This may allow a Man-in-the-Middle (MitM) attack if hostname verification is improperly implemented or omitted.

Were the reality any bit as apocalyptic as you paint it, you should've then marked the report as security sensitive.

> deepseek.py

This is not the first time when your alleged reproducer is a python script that's effectively just a series of subprocess.run() invocations. Just write shell scripts.

> The connection succeeds and the certificate is accepted

No, it just plain does not. The connection fails with

```
- Status: The certificate is NOT trusted. The signature in the certificate is invalid. The name in the certificate does not match the expected.
*** PKI verification of server certificate failed...
*** Fatal error: Error in the certificate.
* Received alert '42': Certificate is bad.
Error in handshake: A TLS fatal alert has been received.
```

Tested on RHEL 8, RHEL 9, RHEL 10, Fedora 42, Ubuntu 24.04 (gnutls 3.8.3) and Ubuntu 22.04 (gnutls 3.7.3), which is three years old at this point.

Why are you looking for `Verification failed` is beyond me.

Why are you looking for it in stdout instead of stderr is beyond me.

Why do you jump to conclusions that the connection has been established is beyond me.

And if your report and/or your alleged reproducer has been generated by an LLM, in full or in part, please just stop doing whatever you're doing and never do that again.

This is not your first frivolous report. Please kindly abstain from reporting non-issues.

-- 
Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1711#note_2506061901
You're receiving this email because of your account on gitlab.com.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnutls-devel/attachments/20250515/13e8eff7/attachment-0001.html>

More information about the Gnutls-devel mailing list