[gnutls-help] The certificate chain violates the signer's constraints.
Andreas Freimuth
andreas_freimuth at web.de
Wed Jul 1 10:45:41 CEST 2015
On 01.07.2015 09:45, Nikos Mavrogiannopoulos wrote:
> On Tue, 2015-06-30 at 15:16 +0200, Andreas Freimuth wrote:
>> Hi all,
>>
>> I have a problem with the gnutls validating a certificate path. Can
>> someone tell me if it is a mistake in the Certs, or a bug in GnuTLS?
>>
>> Relevent parts of the Certs:
>> == server.crt ==
>> Subject: C=US, O=Foo Bar Inc., CN=bazz.foobar.com
>> X509v3 Subject Alternative Name:
>> DNS:update.foobar.com, DNS:mx.foobar.email
>> == CA ==
>> X509v3 Name Constraints:
>> Permitted:
>> DNS:foobar.com
>> DNS:foobar.email
>> DirName: C = US, O = Foo Bar Inc.
>> Excluded:
>> DNS:www.foobar.com
>> DNS:www.foobar.email
>> IP:0.0.0.0/0.0.0.0
>> IP:0:0:0:0:0:0:0:0/0:0:0:0:0:0:0:0
>
> That looks like a bug in gnutls. The reason it is rejected is because
> you have an IP address constraint which is not checked by gnutls. That
> shouldn't have been rejected though because there is no IP address set
> in the server certificate. Anyway the simple fix is to remove the IP
> constraint which is allow everything anyway.
Thanks. The Workaround works.
btw:
The IP constraint is a MUST have, by the CA/Browser Forum Baseline
Requirements ([1] 7.1.5)
And it is not 'allow everything'. It is forbid '0.0.0.0/0' which is
forbid everything.
>
> regards,
> Nikos
>
>
--
Andreas Freimuth
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 538 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20150701/15cc66b4/attachment.sig>
More information about the Gnutls-help
mailing list