[gnutls-help] Combining certificate verification mechanisms [was: Re: GnuTLS with TOFU verifies public keys, not certificates]

Nikos Mavrogiannopoulos nmav at gnutls.org
Thu Apr 17 22:41:40 CEST 2014

On Thu, 2014-04-17 at 15:52 -0400, Daniel Kahn Gillmor wrote:

> > Actually it does, although it only prints the verification failure. It
> > seems though that the certificate information is printed twice and thus
> > the failure isn't easily seen.
> hm, really?  let me be more concrete than example.org.  the following
> connects cleanly for me, with no complaints about certificate validation:
>  gnutls-cli www.google.com
> but if i connect using:
>  gnutls-cli --tofu www.google.com
> then i do see the certificate validation remark ("Status: The
> certificate is trusted.") but i am *also* prompted with the TOFU prompt.
>  If i say "no" on the TOFU prompt, the connection fails:
> Host www.google.com (https) has never been contacted before.
> Its certificate is valid for www.google.com.
> Are you sure you want to trust it? (y/N): n
> *** Fatal error: Error in the certificate.
> *** Handshake has failed
> GnuTLS error: Error in the certificate.
> 1 dkg at alice:~$

> This seems like an odd combination,

Why? In tofu the certificate authentication is pretty much advisory that
allows you to decide whether to accept or not.

>  and *doesn't* match the behavior
> when i use --dane.

That's true. In dane there is no user input so the PKI certification
can't be advisory. Nevertheless, if you have some better suggestion feel
free to propose it. That behavior isn't written in stone, and we can
still change the behavior of gnutls-cli in 3.3.0.

> it's also interesting to note the behavior when i use
> --no-ca-verification without either --tofu or --dane: no cert check is
> done at all, but the connection still goes through without a complaint.
>  this seems like "failing open", and it isn't what i'd have expected.

What would you have expected?

> it seems to me like we've got three different possible ways to verify a
> certificate:
>  * DANE
>  * X.509 CA verification (and OpenPGP CA Verification for RFC 6091)
>  * TOFU
> each of these mechanisms can return "valid" or "not valid", right?  (or
> should we consider that TOFU could return "valid", "unknown", and "does
> not match known key"?)

DANE and PKI are binary and automatic. TOFU has three states and is


More information about the Gnutls-help mailing list