<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" "http://www.w3.org/TR/REC-html40/loose.dtd">
<html lang="en" style='--code-editor-font: var(--default-mono-font, "GitLab Mono"), JetBrains Mono, Menlo, DejaVu Sans Mono, Liberation Mono, Consolas, Ubuntu Mono, Courier New, andale mono, lucida console, monospace;'>
<head>
<meta content="text/html; charset=US-ASCII" http-equiv="Content-Type">
<title>
GitLab
</title>

<style data-premailer="ignore" type="text/css">
a { color: #1068bf; }
</style>

<style>img {
max-width: 100%; height: auto;
}
body {
font-size: .875rem;
}
body {
-webkit-text-shadow: rgba(255,255,255,.01) 0 0 1px;
}
body {
font-family: "GitLab Sans",-apple-system,BlinkMacSystemFont,"Segoe UI",Roboto,"Noto Sans",Ubuntu,Cantarell,"Helvetica Neue",sans-serif,"Apple Color Emoji","Segoe UI Emoji","Segoe UI Symbol","Noto Color Emoji"; font-size: inherit;
}
</style>
</head>
<body style='font-size: inherit; -webkit-text-shadow: rgba(255,255,255,.01) 0 0 1px; font-family: "GitLab Sans",-apple-system,BlinkMacSystemFont,"Segoe UI",Roboto,"Noto Sans",Ubuntu,Cantarell,"Helvetica Neue",sans-serif,"Apple Color Emoji","Segoe UI Emoji","Segoe UI Symbol","Noto Color Emoji";'>
<div class="content">

<p class="details" style="font-style: italic; color: #737278;">
<a href="https://gitlab.com/jiay15018">yao jia</a> created an issue: <a href="https://gitlab.com/gnutls/gnutls/-/issues/1590">#1590</a>
</p>
<div class="md" style="position: relative; z-index: 1; color: #28272d; word-wrap: break-word;">
<h2 dir="auto" style="font-size: 1.5em; font-weight: 600; padding-bottom: .3em; border-bottom-width: 1px; border-bottom-color: #bfbfc3; border-bottom-style: solid; color: #28272d; margin: 0 0 16px;" align="initial">
<a href="#description-of-the-feature" aria-hidden="true" class="anchor" id="user-content-description-of-the-feature" style="margin-top: 0; float: left; margin-left: -20px; text-decoration: none; outline: none;"></a>Description of the feature:</h2>
<p dir="auto" style="color: #28272d; margin: 0 0 16px;" align="initial">In GnuTLS version 3.8.7, the library limits the handling of certificate chains by restricting the total number of certificates rather than assessing the effective length of the chain. This approach can cause validation failures when a server includes additional certificates that, while not directly necessary for establishing a valid certificate path, may serve as cross-intermediate certificates providing alternative paths.</p>
<p dir="auto" style="color: #28272d; margin: 0 0 16px;" align="initial">As shown in the attached certificate chain<a href="https://gitlab.com/-/project/179611/uploads/7b207c8c6dd89067b980a1f135695e24/17certs_chain.pem" data-canonical-src="/uploads/7b207c8c6dd89067b980a1f135695e24/17certs_chain.pem" data-link="true" class="gfm" style="margin-top: 0;">17certs_chain.pem</a>, I configured a chain with 17 certificates. The valid certificate path could only be constructed using the first, second, and seventeenth certificates, with the others being irrelevant. This indicates that the actual effective length of the certificate path is merely 3. Nonetheless, the validation failed under these conditions.<a class="no-attachment-icon gfm" href="https://gitlab.com/-/project/179611/uploads/a3fb744a6f5e49d00e024b715f4dbf22/17invalid.png" target="_blank" rel="noopener noreferrer" data-canonical-src="/uploads/a3fb744a6f5e49d00e024b715f4dbf22/17invalid.png" data-link="true"><img src="https://gitlab.com/-/project/179611/uploads/a3fb744a6f5e49d00e024b715f4dbf22/17invalid.png" alt="17invalid" data-canonical-src="/uploads/a3fb744a6f5e49d00e024b715f4dbf22/17invalid.png" class="gfm" style="max-width: 100%; height: auto; margin-top: 0; vertical-align: baseline;"></a> Interestingly, when I removed one irrelevant certificate—reducing the total number of certificates in the chain to 16 while maintaining the actual certificate path length at 3 — the validation succeeded.<a class="no-attachment-icon gfm" href="https://gitlab.com/-/project/179611/uploads/9864737dc6bd0e6042556ed1f237c81a/16valid.png" target="_blank" rel="noopener noreferrer" data-canonical-src="/uploads/9864737dc6bd0e6042556ed1f237c81a/16valid.png" data-link="true"><img src="https://gitlab.com/-/project/179611/uploads/9864737dc6bd0e6042556ed1f237c81a/16valid.png" alt="16valid" data-canonical-src="/uploads/9864737dc6bd0e6042556ed1f237c81a/16valid.png" class="gfm" style="max-width: 100%; height: auto; margin-top: 0; vertical-align: baseline;"></a></p>
<h2 dir="auto" style="font-size: 1.5em; font-weight: 600; padding-bottom: .3em; border-bottom-width: 1px; border-bottom-color: #bfbfc3; border-bottom-style: solid; color: #28272d; margin: 24px 0 16px;" align="initial">
<a href="#applications-that-this-feature-may-be-relevant-to" aria-hidden="true" class="anchor" id="user-content-applications-that-this-feature-may-be-relevant-to" style="margin-top: 0; float: left; margin-left: -20px; text-decoration: none; outline: none;"></a>Applications that this feature may be relevant to:</h2>
<p dir="auto" style="color: #28272d; margin: 0 0 16px;" align="initial">This feature is particularly relevant to secure data transmission applications, including web browsers, email clients, and any client-server applications that rely on TLS for secure communication. The issue may surface in environments where servers are configured with extensive certificate chains or intermediate certificates are plentiful, potentially leading to failure to establish secure connections.</p>
<h2 dir="auto" style="font-size: 1.5em; font-weight: 600; padding-bottom: .3em; border-bottom-width: 1px; border-bottom-color: #bfbfc3; border-bottom-style: solid; color: #28272d; margin: 24px 0 16px;" align="initial">
<a href="#is-this-feature-implemented-in-other-libraries-and-which" aria-hidden="true" class="anchor" id="user-content-is-this-feature-implemented-in-other-libraries-and-which" style="margin-top: 0; float: left; margin-left: -20px; text-decoration: none; outline: none;"></a>Is this feature implemented in other libraries (and which)</h2>
<p dir="auto" style="color: #28272d; margin: 0;" align="initial">Other cryptographic libraries such as OpenSSL and MbedTLS handle certificate chains differently, often allowing more flexibility in the chain length by focusing on the effective length of the chain rather than the total count of certificates. This approach can accommodate a broader range of server configurations and is less likely to reject a valid certificate chain solely based on the number of certificates presented.</p>
</div>

</div>
<div class="footer" style="margin-top: 10px;">
<p style="font-size: small; color: #737278;">

<br>
Reply to this email directly or <a href="https://gitlab.com/gnutls/gnutls/-/issues/1590">view it on GitLab</a>.
<br>
You're receiving this email because of your account on <a target="_blank" rel="noopener noreferrer" href="https://gitlab.com">gitlab.com</a>. <a href="https://gitlab.com/-/sent_notifications/a02709702b677b9ed373bced3b995182/unsubscribe" target="_blank" rel="noopener noreferrer">Unsubscribe</a> from this thread · <a href="https://gitlab.com/-/profile/notifications" target="_blank" rel="noopener noreferrer" class="mng-notif-link">Manage all notifications</a> · <a href="https://gitlab.com/help" target="_blank" rel="noopener noreferrer" class="help-link">Help</a>
<script type="application/ld+json">{"@context":"http://schema.org","@type":"EmailMessage","action":{"@type":"ViewAction","name":"View Issue","url":"https://gitlab.com/gnutls/gnutls/-/issues/1590"}}</script>


</p>
</div>
</body>
</html>