<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" "http://www.w3.org/TR/REC-html40/loose.dtd">

<html lang="en">

<head>

<meta content="text/html; charset=US-ASCII" http-equiv="Content-Type">

<title>

GitLab

</title>

<style>img {

max-width: 100%; height: auto;

}

</style>

</head>

<body>

<div class="content">

<p style="color: #777777;">

<a href="https://gitlab.com/kmiller">Kenneth J. Miller</a>

commented:

</p>

<div style="">

<p dir="auto">The ticket name should be changed to describe the underlying issue, the failing validation of certificates chaining back to the expired Sectigo root/intermediate is a symptom of deeper issue with the way GnuTLS currently validates certificate paths.</p>

<p dir="auto">I recreated the issue locally with <strong>GnuTLS 3.6.13</strong>, Nginx, and some test certificates. From my observation, GnuTLS fails if the first path validated contains an expired certificate, even if there exist possible valid alternative paths.</p>

<p dir="auto">Here the X.509 PKI I tested with an intermediate cross-signed by a valid and expired root certificate respectively:</p>

<pre class="code highlight js-syntax-highlight plaintext" lang="plaintext" v-pre="true"><code><span id="LC1" class="line" lang="plaintext"> ROOT 1     ROOT 2</span>

<span id="LC2" class="line" lang="plaintext">(valid)    (expired)</span>

<span id="LC3" class="line" lang="plaintext">    \         /</span>

<span id="LC4" class="line" lang="plaintext">     \       /</span>

<span id="LC5" class="line" lang="plaintext">   INTERMEDIATE 1</span>

<span id="LC6" class="line" lang="plaintext">      (valid)</span>

<span id="LC7" class="line" lang="plaintext">         |</span>

<span id="LC8" class="line" lang="plaintext">         |</span>

<span id="LC9" class="line" lang="plaintext">      LEAF 1</span>

<span id="LC10" class="line" lang="plaintext">      (valid)</span></code></pre>

<p dir="auto">Note that this is a slightly different hierarchy than the issue presented by Sectigo's certificates where the public keys of an intermediate certificate were used to re-create a self-signed root. However, the underlying issue presents itself in the same way.</p>

<p dir="auto">Depending on the order in which Nginx serves the above cross-signed INTERMEDIATE 1 certificates after the LEAF 1 certificate, a request will either succeed or fail.</p>

<p dir="auto">When the certificate bundle supplied by Nginx contains the INTERMEDIATE 1 signed by the valid ROOT 1 <em>before</em> the one signed by ROOT 2, the TLS handshake succeeds:</p>

<pre class="code highlight js-syntax-highlight plaintext" lang="plaintext" v-pre="true"><code><span id="LC1" class="line" lang="plaintext">asd# gnutls-cli example.test</span>

<span id="LC2" class="line" lang="plaintext">Processed 2 CA certificate(s).</span>

<span id="LC3" class="line" lang="plaintext">Resolving 'example.test:443'...</span>

<span id="LC4" class="line" lang="plaintext">Connecting to '127.0.1.1:443'...</span>

<span id="LC5" class="line" lang="plaintext">- Certificate type: X.509</span>

<span id="LC6" class="line" lang="plaintext">- Got a certificate list of 3 certificates.</span>

<span id="LC7" class="line" lang="plaintext">- Certificate[0] info:</span>

<span id="LC8" class="line" lang="plaintext"> - subject `CN=example.test', issuer `CN=INTERMEDIATE 1', serial 0x6ce0398c3f993ad4f5509763fc2ed69286df6631, RSA key 3072 bits, signed using RSA-SHA256, activated `2020-05-31 03:20:16 UTC', expires `2020-06-28 03:20:17 UTC', pin-sha256="ySlPmQ0lv9y4f7hwsopslzgEdiUnU3/5u4nFya2WwSo="</span>

<span id="LC9" class="line" lang="plaintext">       Public Key ID:</span>

<span id="LC10" class="line" lang="plaintext">              sha1:66fc0194e47a524774be3c64c1fcf11dab218ebd</span>

<span id="LC11" class="line" lang="plaintext">              sha256:c9294f990d25bfdcb87fb870b28a6c973804762527537ff9bb89c5c9ad96c12a</span>

<span id="LC12" class="line" lang="plaintext">      Public Key PIN:</span>

<span id="LC13" class="line" lang="plaintext">              pin-sha256:ySlPmQ0lv9y4f7hwsopslzgEdiUnU3/5u4nFya2WwSo=</span>

<span id="LC14" class="line" lang="plaintext"></span>

<span id="LC15" class="line" lang="plaintext">- Certificate[1] info:</span>

<span id="LC16" class="line" lang="plaintext"> - subject `CN=INTERMEDIATE 1', issuer `CN=ROOT 1', serial 0x17662e3e54ea343b5e81205e0c69aafb94c2b29d, RSA key 3072 bits, signed using RSA-SHA256, activated `2020-05-31 03:25:19 UTC', expires `2020-06-29 03:25:22 UTC', pin-sha256="SbBuckO3jO2KQK2OTZ1s92tOYBU1Zh2cULbe6dZ+tK4="</span>

<span id="LC17" class="line" lang="plaintext">- Certificate[2] info:</span>

<span id="LC18" class="line" lang="plaintext"> - subject `CN=INTERMEDIATE 1', issuer `CN=ROOT 2', serial 0x1040f78089e97ffefc343f977eaeedd78fc15f87, RSA key 3072 bits, signed using RSA-SHA256, activated `2020-05-31 03:22:12 UTC', expires `2020-06-28 03:22:14 UTC', pin-sha256="SbBuckO3jO2KQK2OTZ1s92tOYBU1Zh2cULbe6dZ+tK4="</span>

<span id="LC19" class="line" lang="plaintext">- Status: The certificate is trusted. </span>

<span id="LC20" class="line" lang="plaintext">- Description: (TLS1.3-X.509)-(ECDHE-SECP256R1)-(RSA-PSS-RSAE-SHA256)-(AES-256-GCM)</span>

<span id="LC21" class="line" lang="plaintext">- Options:</span>

<span id="LC22" class="line" lang="plaintext">- Handshake was completed</span></code></pre>

<p dir="auto">When the certificate bundle supplied by Nginx contains the INTERMEDIATE 1 signed by the ROOT 1 <em>after</em> the one signed by the expired ROOT 1, the TLS handshake fails:</p>

<pre class="code highlight js-syntax-highlight plaintext" lang="plaintext" v-pre="true"><code><span id="LC1" class="line" lang="plaintext"># gnutls-cli example.test</span>

<span id="LC2" class="line" lang="plaintext">Processed 2 CA certificate(s).</span>

<span id="LC3" class="line" lang="plaintext">Resolving 'example.test:443'...</span>

<span id="LC4" class="line" lang="plaintext">Connecting to '127.0.1.1:443'...</span>

<span id="LC5" class="line" lang="plaintext">- Certificate type: X.509</span>

<span id="LC6" class="line" lang="plaintext">- Got a certificate list of 3 certificates.</span>

<span id="LC7" class="line" lang="plaintext">- Certificate[0] info:</span>

<span id="LC8" class="line" lang="plaintext"> - subject `CN=example.test', issuer `CN=INTERMEDIATE 1', serial 0x6ce0398c3f993ad4f5509763fc2ed69286df6631, RSA key 3072 bits, signed using RSA-SHA256, activated `2020-05-31 03:20:16 UTC', expires `2020-06-28 03:20:17 UTC', pin-sha256="ySlPmQ0lv9y4f7hwsopslzgEdiUnU3/5u4nFya2WwSo="</span>

<span id="LC9" class="line" lang="plaintext">       Public Key ID:</span>

<span id="LC10" class="line" lang="plaintext">              sha1:66fc0194e47a524774be3c64c1fcf11dab218ebd</span>

<span id="LC11" class="line" lang="plaintext">              sha256:c9294f990d25bfdcb87fb870b28a6c973804762527537ff9bb89c5c9ad96c12a</span>

<span id="LC12" class="line" lang="plaintext">      Public Key PIN:</span>

<span id="LC13" class="line" lang="plaintext">              pin-sha256:ySlPmQ0lv9y4f7hwsopslzgEdiUnU3/5u4nFya2WwSo=</span>

<span id="LC14" class="line" lang="plaintext"></span>

<span id="LC15" class="line" lang="plaintext">- Certificate[1] info:</span>

<span id="LC16" class="line" lang="plaintext"> - subject `CN=INTERMEDIATE 1', issuer `CN=ROOT 2', serial 0x1040f78089e97ffefc343f977eaeedd78fc15f87, RSA key 3072 bits, signed using RSA-SHA256, activated `2020-05-31 03:22:12 UTC', expires `2020-06-28 03:22:14 UTC', pin-sha256="SbBuckO3jO2KQK2OTZ1s92tOYBU1Zh2cULbe6dZ+tK4="</span>

<span id="LC17" class="line" lang="plaintext">- Certificate[2] info:</span>

<span id="LC18" class="line" lang="plaintext"> - subject `CN=INTERMEDIATE 1', issuer `CN=ROOT 1', serial 0x17662e3e54ea343b5e81205e0c69aafb94c2b29d, RSA key 3072 bits, signed using RSA-SHA256, activated `2020-05-31 03:25:19 UTC', expires `2020-06-29 03:25:22 UTC', pin-sha256="SbBuckO3jO2KQK2OTZ1s92tOYBU1Zh2cULbe6dZ+tK4="</span>

<span id="LC19" class="line" lang="plaintext">- Status: The certificate is NOT trusted. The certificate chain uses expired certificate. The signature in the certificate is invalid. </span>

<span id="LC20" class="line" lang="plaintext">*** PKI verification of server certificate failed...</span>

<span id="LC21" class="line" lang="plaintext">*** Fatal error: Error in the certificate.</span></code></pre>

</div>

</div>

<div class="footer" style="margin-top: 10px;">

<p style="font-size: small; color: #777;">

—

<br>

Reply to this email directly or <a href="https://gitlab.com/gnutls/gnutls/-/issues/1008#note_352387084">view it on GitLab</a>.

<br>

You're receiving this email because of your account on gitlab.com.

If you'd like to receive fewer emails, you can

<a href="https://gitlab.com/-/sent_notifications/8f0ac5817d731246e91cdbe250c04f65/unsubscribe">unsubscribe</a>

from this thread or

adjust your notification settings.

<script type="application/ld+json">{"@context":"http://schema.org","@type":"EmailMessage","action":{"@type":"ViewAction","name":"View Issue","url":"https://gitlab.com/gnutls/gnutls/-/issues/1008#note_352387084"}}</script>

</p>

</div>

</body>

</html>