Security implications of (not using) GNUTLS_VERIFY_DO_NOT_ALLOW_SAME
Lars Noschinski
lars at public.noschinski.de
Mon Jun 21 14:58:21 CEST 2010
* Nikos Mavrogiannopoulos <nmav at gnutls.org> [10-06-21 13:46]:
> On Mon, Jun 21, 2010 at 1:45 PM, Nikos Mavrogiannopoulos
> <nmav at gnutls.org> wrote:
>
> >> Ok. But in this case, the behaviour I observed seems to be indeed a bug
> >> in gnutls, as my certificate list did not contain the server's
> >> certificate, but only the CA certificates.
> > Then please send me something I can reproduce (such as the smallest
> > possible list that I can use to verify the problem and how I can
> > verify it).
For the certificate list, see
http://avalon.hoffentlich.net/~cebewee/debug/gnutls/cacert.crt
(containing the CAcert.org root certificates).
Now,
$ gnutls-cli jabberd.jabber.ccc.de --x509cafile cacert.crt
trusts the server certificate [0]. Now apply the patch [1] to cli.c
and run the patched binary. Now
$ gnutls-cli.patched jabberd.jabber.ccc.de --x509cafile cacert.crt
fails to establish a trusted chain [2].
> And of course the version of gnutls you are using. If you are not
> using 1.8.x please reproduce with it.
You mean 2.8.x, correct? Reproduced using libgnutls26, 2.8.6-1 package
from debian (the package does not contain code patches, only the patches
in the debian/patches subdirectory of
http://ftp.de.debian.org/debian/pool/main/g/gnutls26/gnutls26_2.8.6-1.debian.tar.gz
).
-- Lars.
[0] http://avalon.hoffentlich.net/~cebewee/debug/gnutls/gnutls-ok.log
[1] http://avalon.hoffentlich.net/~cebewee/debug/gnutls/gnutls-cli.patch
[2] http://avalon.hoffentlich.net/~cebewee/debug/gnutls/gnutls-fail.log
More information about the Gnutls-help
mailing list