<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" "http://www.w3.org/TR/REC-html40/loose.dtd">
<html lang="en">
<head>
<meta content="text/html; charset=US-ASCII" http-equiv="Content-Type">
<title>
GitLab
</title>
<style>img {
max-width: 100%; height: auto;
}
</style>
</head>
<body>
<div class="content">
<p style="color: #777777;">
<a href="https://gitlab.com/dueno">Daiki Ueno</a>
commented:
</p>
<div style="">
<p dir="auto"><a href="https://gitlab.com/sahprasa" data-user="1160630" data-reference-type="user" data-container="body" data-placement="top" class="gfm gfm-project_member js-user-link" title="Sahana Prasad">@sahprasa</a> <a href="https://gitlab.com/codesquid" data-user="2759085" data-reference-type="user" data-container="body" data-placement="top" class="gfm gfm-project_member js-user-link" title="Tim Kosse">@codesquid</a> let me clarify the scope of this bug.</p>
<blockquote dir="auto">
<p>The output of certtool unfortunately is not very helpful either when given the certificates sent by this server:</p>
</blockquote>
<p dir="auto">I think this is simply a leftover bug of (<a href="https://gitlab.com/gnutls/gnutls/-/merge_requests/1271" data-original="!1271" data-link="false" data-link-reference="false" data-project="179611" data-merge-request="60168899" data-project-path="gnutls/gnutls" data-iid="1271" data-mr-title="_gnutls_pkcs11_verify_crt_status: check validity against system cert" data-reference-type="merge_request" data-container="body" data-placement="top" title="" class="gfm gfm-merge_request">!1271</a>), which should be fixed with <a href="https://gitlab.com/gnutls/gnutls/-/merge_requests/1338" data-original="!1338" data-link="false" data-link-reference="false" data-project="179611" data-merge-request="72258676" data-project-path="gnutls/gnutls" data-iid="1338" data-mr-title="x509: correct argument of gnutls_verify_output_function" data-reference-type="merge_request" data-container="body" data-placement="top" title="" class="gfm gfm-merge_request">!1338</a>: the issuer of the second cert should be "COMODO RSA Certification Authority" instead of "AddTrust External CA Root". Other than that, I don't see anything wrong in the output.</p>
<p dir="auto">As noted in <a href="https://gitlab.com/gnutls/gnutls/-/issues/1008#note_352394245" data-original="https://gitlab.com/gnutls/gnutls/-/issues/1008#note_352394245" data-link="false" data-link-reference="true" data-project="179611" data-issue="35220797" data-reference-type="issue" data-container="body" data-placement="top" title="Handle expiration of AddTrust root certificate (urgent)" class="gfm gfm-issue has-tooltip">#1008 (comment 352394245)</a>, GnuTLS can only process "linear" certificate chains. Therefore we don't need to care about the cases like the peer sends multiple intermediate CAs for the same subject. The replaced certificate is only at the root of the trust.</p>
<blockquote dir="auto">
<p>I suggest adding a function that returns the full path to the trusted root as was used in gnutls_certificate_verify_peers.</p>
</blockquote>
<p dir="auto">Yes, this is the actual request; that is, the TLS applications should have a way to pass the <code>gnutls_verify_output_function</code> as a callback. I think the best way to do that is adding a function, say:</p>
<pre class="code highlight js-syntax-highlight c" lang="c" v-pre="true"><code><span id="LC1" class="line" lang="c"><span class="kt">void</span> <span class="nf">gnutls_session_set_verify_output_function</span><span class="p">(</span><span class="n">gnutls_session_t</span> <span class="n">session</span><span class="p">,</span></span>
<span id="LC2" class="line" lang="c"> <span class="n">gnutls_verify_output_function</span> <span class="o">*</span><span class="n">func</span><span class="p">);</span></span></code></pre>
</div>
</div>
<div class="footer" style="margin-top: 10px;">
<p style="font-size: small; color: #666;">
—
<br>
Reply to this email directly or <a href="https://gitlab.com/gnutls/gnutls/-/issues/1012#note_419258883">view it on GitLab</a>.
<br>
You're receiving this email because of your account on gitlab.com.
If you'd like to receive fewer emails, you can
<a href="https://gitlab.com/-/sent_notifications/d05de3d85f8d51dd570ee0de47462cc6/unsubscribe">unsubscribe</a>
from this thread or
adjust your notification settings.
<script type="application/ld+json">{"@context":"http://schema.org","@type":"EmailMessage","action":{"@type":"ViewAction","name":"View Issue","url":"https://gitlab.com/gnutls/gnutls/-/issues/1012#note_419258883"}}</script>
</p>
</div>
</body>
</html>