[gnutls-help] The certificate chain violates the signer's constraints.

Nikos Mavrogiannopoulos nmav at gnutls.org
Wed Jul 1 09:45:23 CEST 2015

On Tue, 2015-06-30 at 15:16 +0200, Andreas Freimuth wrote:
> Hi all,
> I have a problem with the gnutls validating a certificate path. Can
> someone tell me if it is a mistake in the Certs, or a bug in GnuTLS?
> Relevent parts of the Certs:
> == server.crt ==
> Subject: C=US, O=Foo Bar Inc., CN=bazz.foobar.com
> X509v3 Subject Alternative Name:
>      DNS:update.foobar.com, DNS:mx.foobar.email
> == CA ==
>      X509v3 Name Constraints:
>        Permitted:
>          DNS:foobar.com
>          DNS:foobar.email
>          DirName: C = US, O = Foo Bar Inc.
>        Excluded:
>          DNS:www.foobar.com
>          DNS:www.foobar.email
>          IP:
>          IP:0:0:0:0:0:0:0:0/0:0:0:0:0:0:0:0

That looks like a bug in gnutls. The reason it is rejected is because
you have an IP address constraint which is not checked by gnutls. That
shouldn't have been rejected though because there is no IP address set
in the server certificate. Anyway the simple fix is to remove the IP
constraint which is allow everything anyway.


More information about the Gnutls-help mailing list