[gnutls-devel] GnuTLS | certool: Skipping unknown options in template ends up with "success" exit status 0 (#1911)

Read-only notification of GnuTLS library development activities gnutls-devel at lists.gnutls.org
Tue Jun 23 12:39:04 CEST 2026 


Issue created by Tim Rühsen: https://gitlab.com/gnutls/gnutls/-/work_items/1911



Opening this as discussion to clarify if we want this change or not.

## Problem
When having a non-matching or wrongly-spelled option in a template file (e.g., to create a certificate), `certool` prints a warning but then creates the possibly wrong certificate and exits with status 0.

The danger here is to overlook the warning. On a console, the warning lines easily scrolls out of the window, and from what the user sees all looks good.

Scripting / automation that relies on the exit status will just continue, potentially creating certificates that are missing necessary KU or EKU extensions.

## Suggestion
`certtool` should be very strict with malformed input. Unknown template options should not be skipped, but lead to an error without creating any certificate.

The alternative, testing the status code *and* grepping the console output for `warning` seems to put too much burden on the user. And it's not expected or common sense.

This would be a breaking change for anyone who has malformed template files. But IMO it's better to force people to think about why something breaks in their build pipeline then possibly introducing security issues.

Are there any use cases where a new CLI option to revert to the old behavior is beneficial?

-- 
Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/work_items/1911
You're receiving this email because of your account on gitlab.com. Unsubscribe from this thread: https://gitlab.com/-/namespace/17175643/sent_notifications/5-cgr6kvmrhjvrawy8kjr5k15w8-a84t7/unsubscribe | Manage all notifications: https://gitlab.com/-/profile/notifications | Help: https://gitlab.com/help


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnutls-devel/attachments/20260623/d1440d3c/attachment-0001.html>

More information about the Gnutls-devel mailing list