<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" "http://www.w3.org/TR/REC-html40/loose.dtd">

<html lang="en">

<head>

<meta content="text/html; charset=US-ASCII" http-equiv="Content-Type">

<title>

GitLab

</title>

<style>img {

max-width: 100%; height: auto;

}

</style>

</head>

<body>

<div class="content">

<p class="details" style="font-style: italic; color: #666;">

<a href="https://gitlab.com/tkrizek">Tomas Krizek</a> created an issue <a href="https://gitlab.com/gnutls/gnutls/-/issues/1131">#1131</a>:

</p>

<div></div>

<h2 dir="auto">

<a id="user-content-description-of-problem" class="anchor" href="#description-of-problem" aria-hidden="true"></a>Description of problem:</h2>

<p dir="auto">When a root certificate appears twice in the certificate chain, it is marked as untrusted. I suppose there's no reason why duplicate certificates should be in the chain, but these do appear in the wild, e.g. <code>gitlab.nic.cz</code> (as of 2020-12-07).</p>

<h2 dir="auto">

<a id="user-content-version-of-gnutls-used" class="anchor" href="#version-of-gnutls-used" aria-hidden="true"></a>Version of gnutls used:</h2>

<p dir="auto">3.7.0 (the same certificate chain works fine with 3.6.15)</p>

<h2 dir="auto">

<a id="user-content-distributor-of-gnutls-eg-ubuntu-fedora-rhel" class="anchor" href="#distributor-of-gnutls-eg-ubuntu-fedora-rhel" aria-hidden="true"></a>Distributor of gnutls (e.g., Ubuntu, Fedora, RHEL)</h2>

<p dir="auto">Archlinux</p>

<h2 dir="auto">

<a id="user-content-how-reproducible-100" class="anchor" href="#how-reproducible-100" aria-hidden="true"></a>How reproducible: 100%</h2>

<p dir="auto">Steps to Reproduce:</p>

<pre class="code highlight js-syntax-highlight plaintext" lang="plaintext" v-pre="true"><code><span id="LC1" class="line" lang="plaintext">$ gnutls-cli gitlab.nic.cz</span>

<span id="LC2" class="line" lang="plaintext">Processed 149 CA certificate(s).</span>

<span id="LC3" class="line" lang="plaintext">Resolving 'gitlab.nic.cz:443'...</span>

<span id="LC4" class="line" lang="plaintext">Connecting to '217.31.192.133:443'...</span>

<span id="LC5" class="line" lang="plaintext">- Certificate type: X.509</span>

<span id="LC6" class="line" lang="plaintext">- Got a certificate list of 3 certificates.</span>

<span id="LC7" class="line" lang="plaintext">- Certificate[0] info:</span>

<span id="LC8" class="line" lang="plaintext"> - subject `CN=gitlab.labs.nic.cz', issuer `CN=Let's Encrypt Authority X3,O=Let's Encrypt,C=US', serial 0x043d7d8a63166e0368df867d4c584791ae65, RSA key 4096 bits, signed using RSA-SHA256, activated `2020-11-16 08:03:24 UTC', expires `2021-02-14 08:03:24 UTC', pin-sha256="7NBmA2/dDjJ3o6SHLLbhoP6nTu95BhIMlOQG/FGTTMs="</span>

<span id="LC9" class="line" lang="plaintext">       Public Key ID:</span>

<span id="LC10" class="line" lang="plaintext">              sha1:1bb89b72e0dfd583e5cc970030310e38f7740ffa</span>

<span id="LC11" class="line" lang="plaintext">              sha256:ecd066036fdd0e3277a3a4872cb6e1a0fea74eef7906120c94e406fc51934ccb</span>

<span id="LC12" class="line" lang="plaintext">      Public Key PIN:</span>

<span id="LC13" class="line" lang="plaintext">              pin-sha256:7NBmA2/dDjJ3o6SHLLbhoP6nTu95BhIMlOQG/FGTTMs=</span>

<span id="LC14" class="line" lang="plaintext"></span>

<span id="LC15" class="line" lang="plaintext">- Certificate[1] info:</span>

<span id="LC16" class="line" lang="plaintext"> - subject `CN=Let's Encrypt Authority X3,O=Let's Encrypt,C=US', issuer `CN=DST Root CA X3,O=Digital Signature Trust Co.', serial 0x0a0141420000015385736a0b85eca708, RSA key 2048 bits, signed using RSA-SHA256, activated `2016-03-17 16:40:46 UTC', expires `2021-03-17 16:40:46 UTC', pin-sha256="YLh1dUR9y6Kja30RrAn7JKnbQG/uEtLMkBgFF2Fuihg="</span>

<span id="LC17" class="line" lang="plaintext">- Certificate[2] info:</span>

<span id="LC18" class="line" lang="plaintext"> - subject `CN=Let's Encrypt Authority X3,O=Let's Encrypt,C=US', issuer `CN=DST Root CA X3,O=Digital Signature Trust Co.', serial 0x0a0141420000015385736a0b85eca708, RSA key 2048 bits, signed using RSA-SHA256, activated `2016-03-17 16:40:46 UTC', expires `2021-03-17 16:40:46 UTC', pin-sha256="YLh1dUR9y6Kja30RrAn7JKnbQG/uEtLMkBgFF2Fuihg="</span>

<span id="LC19" class="line" lang="plaintext">- Status: The certificate is NOT trusted. The certificate issuer is unknown. </span>

<span id="LC20" class="line" lang="plaintext">*** PKI verification of server certificate failed...</span>

<span id="LC21" class="line" lang="plaintext">*** Fatal error: Error in the certificate.</span></code></pre>

<p dir="auto">In case the service cert gets fixed in the mean time, I'm also attaching a copy of the certificate. <a href="https://gitlab.com/gnutls/gnutls/uploads/ae1a7cd5362b07fcba7210c2b2247503/gitlab.nic.cz.pem" data-link="true" class="gfm">gitlab.nic.cz.pem</a></p>

<h2 dir="auto">

<a id="user-content-actual-results" class="anchor" href="#actual-results" aria-hidden="true"></a>Actual results:</h2>

<p dir="auto">certificate verification fails</p>

<h2 dir="auto">

<a id="user-content-expected-results" class="anchor" href="#expected-results" aria-hidden="true"></a>Expected results:</h2>

<p dir="auto">certificate verification succeeds</p>

</div>

<div class="footer" style="margin-top: 10px;">

<p style="font-size: small; color: #666;">

—

<br>

Reply to this email directly or <a href="https://gitlab.com/gnutls/gnutls/-/issues/1131">view it on GitLab</a>.

<br>

You're receiving this email because of your account on gitlab.com.

If you'd like to receive fewer emails, you can

<a href="https://gitlab.com/-/sent_notifications/1c7220bf39458476e85667edf4057ad1/unsubscribe">unsubscribe</a>

from this thread or

adjust your notification settings.

<script type="application/ld+json">{"@context":"http://schema.org","@type":"EmailMessage","action":{"@type":"ViewAction","name":"View Issue","url":"https://gitlab.com/gnutls/gnutls/-/issues/1131"}}</script>

</p>

</div>

</body>

</html>