[gnutls-help] Combining certificate verification mechanisms [was: Re: GnuTLS with TOFU verifies public keys, not certificates]

Daniel Kahn Gillmor dkg at fifthhorseman.net
Thu Apr 17 21:52:21 CEST 2014

On 04/17/2014 03:23 PM, Nikos Mavrogiannopoulos wrote:
> On Thu, 2014-04-17 at 14:44 -0400, Daniel Kahn Gillmor wrote:

>> I agree that this change in documentation would match the current
>> behavior.  I'm wondering, though, whether we want to change the behavior
>> to match the documentation.   Both --tofu and --dane say "in addition to
>> certificate authentication", but only --dane seems to accept standard
>> X.509 certificate authentication as well.
>> even using "gnutls-cli --ca-verification --tofu www.example.org" doesn't
>> use certificate verification.
> Actually it does, although it only prints the verification failure. It
> seems though that the certificate information is printed twice and thus
> the failure isn't easily seen.

hm, really?  let me be more concrete than example.org.  the following
connects cleanly for me, with no complaints about certificate validation:

 gnutls-cli www.google.com

but if i connect using:

 gnutls-cli --tofu www.google.com

then i do see the certificate validation remark ("Status: The
certificate is trusted.") but i am *also* prompted with the TOFU prompt.
 If i say "no" on the TOFU prompt, the connection fails:

Host www.google.com (https) has never been contacted before.
Its certificate is valid for www.google.com.
Are you sure you want to trust it? (y/N): n
*** Fatal error: Error in the certificate.
*** Handshake has failed
GnuTLS error: Error in the certificate.
1 dkg at alice:~$

This seems like an odd combination, and *doesn't* match the behavior
when i use --dane.

it's also interesting to note the behavior when i use
--no-ca-verification without either --tofu or --dane: no cert check is
done at all, but the connection still goes through without a complaint.
 this seems like "failing open", and it isn't what i'd have expected.

it seems to me like we've got three different possible ways to verify a

 * X.509 CA verification (and OpenPGP CA Verification for RFC 6091)

each of these mechanisms can return "valid" or "not valid", right?  (or
should we consider that TOFU could return "valid", "unknown", and "does
not match known key"?)

how should these mechanisms be combined in a principled and predictable way?


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 1010 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20140417/d455ca5f/attachment.sig>

More information about the Gnutls-help mailing list