[gnutls-help] [gnutls-devel] DER decoding errors due to time format
Nikos Mavrogiannopoulos
n.mavrogiannopoulos at gmail.com
Wed May 10 14:07:55 CEST 2017
On Wed, May 10, 2017 at 2:06 PM, Nikos Mavrogiannopoulos
<n.mavrogiannopoulos at gmail.com> wrote:
> On Tue, May 9, 2017 at 8:47 PM, Kurt Roeckx <kurt at roeckx.be> wrote:
>> On Tue, May 09, 2017 at 02:48:08PM +0200, Nikos Mavrogiannopoulos wrote:
>>> Hi,
>>> gnutls 3.5.x is more strict in certificate decoding and performs
>>> various checks in the Time fields to ensure they are properly DER
>>> formatted. However, it is seems that this caused regressions with
>>> certain certificates generated by ovirt as seen in [0]. I am not sure
>>> which software was used to generate the problematic ones, however, it
>>> is most likely openssl, or some other open source software. Are you
>>> aware of other or similar decoding issues which were a result of 3.5.x
>>> being more strict in DER rules?
>>>
>>> The options we have are:
>>> 1. Ignore the error and insist on DER correctness in input certificates.
>>> 2. Allow incorrect formatted time fields in certificates
>>> unconditionally, e.g., with a special libtasn1 flag:
>>> https://gitlab.com/gnutls/libtasn1/commit/16bad0c72dcdfbe5512cdd6b46b251ab7484e5dc
>>>
>>> any other option I've missed? While I favor the first for its
>>> simplicity, reality has shown over the years we must yield towards the
>>> 'work' part.
>>
>> NSS is strict in what it accepts. We've recently changed openssl to be
>> more strict too (commit 80770da39ebba0101079477611b7ce2f426653c5,
>> https://github.com/openssl/openssl/issues/2620), but maybe not
>> strict enough yet.
>
> Thank you, that is really helpful. It seems that Kurt
Sorry, I meant to write Tim here!
regards,
Nikos
More information about the Gnutls-help
mailing list