[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Bug#507633: libgnutls26: GnuTLS does not know VeriSign any more
From: |
Nikos Mavrogiannopoulos |
Subject: |
Re: Bug#507633: libgnutls26: GnuTLS does not know VeriSign any more |
Date: |
Fri, 05 Dec 2008 21:01:00 +0200 |
User-agent: |
Thunderbird 2.0.0.18 (X11/20081125) |
Simon Josefsson wrote:
>>> gnutls-cli -p 443 hbci-pintan-rp.s-hbci.de --x509cafile \
>>> /etc/ssl/certs/ca-certificates.crt
>> It seems to me that MD2 is missing from newer gnutls and this is the
>> reason why it fails. libgcrypt has the MD2 enumeration but not the
>> actual implementation and this tricked me into removing the included
>> md2. I will try to revert the old behavior of using an included version
>> of md2.
>
> I don't think MD2 should be required here: chain verification should not
> need to verify the RSA-MD2 self-signature in the CA cert, because that
> cert is marked as trusted.
>
> If there were other MD2 signatures involved, verification should
> definitely fail, but that doesn't seem to be the case with this chain.
>
> It seems this problem is caused by the chain validation algorithm now
> also look at the CA cert, but it didn't before the GNUTLS-SA-2008-3
> patch.
I've added again the GNUTLS-SA-2008-3 patch this time with some checks
to avoid the crashes.
regards,
Nikos
diff --git a/lib/x509/verify.c b/lib/x509/verify.c
index 92ef722..00e2422 100644
--- a/lib/x509/verify.c
+++ b/lib/x509/verify.c
@@ -374,6 +374,24 @@ _gnutls_x509_verify_certificate (const gnutls_x509_crt_t *
certificate_list,
int i = 0, ret;
unsigned int status = 0, output;
+ if (clist_size > 1)
+ {
+ /* Check if the last certificate in the path is self signed.
+ * In that case ignore it (a certificate is trusted only if it
+ * leads to a trusted party by us, not the server's).
+ *
+ * This in addition prevents from verifying self signed certificates
+ * against themselves. This although not bad caused verification
+ * failures on some root self signed certificates that use the MD2
+ * algorithm.
+ */
+ if (gnutls_x509_crt_check_issuer (certificate_list[clist_size - 1],
+ certificate_list[clist_size - 1]) > 0)
+ {
+ clist_size--;
+ }
+ }
+
/* Verify the last certificate in the certificate path
* against the trusted CA certificate list.
*
- Re: Bug#507633: libgnutls26: GnuTLS does not know VeriSign any more, Andreas Metzler, 2008/12/03
- Re: Bug#507633: libgnutls26: GnuTLS does not know VeriSign any more, Nikos Mavrogiannopoulos, 2008/12/04
- Re: Bug#507633: libgnutls26: GnuTLS does not know VeriSign any more, Simon Josefsson, 2008/12/04
- Re: Bug#507633: libgnutls26: GnuTLS does not know VeriSign any more, Tomas Mraz, 2008/12/04
- Re: Bug#507633: libgnutls26: GnuTLS does not know VeriSign any more, Nikos Mavrogiannopoulos, 2008/12/04
- Re: Bug#507633: libgnutls26: GnuTLS does not know VeriSign any more,
Nikos Mavrogiannopoulos <=
- Re: Bug#507633: libgnutls26: GnuTLS does not know VeriSign any more, Simon Josefsson, 2008/12/10
- Re: Bug#507633: libgnutls26: GnuTLS does not know VeriSign any more, Simon Josefsson, 2008/12/10
- Re: Bug#507633: libgnutls26: GnuTLS does not know VeriSign any more, Simon Josefsson, 2008/12/10
- Re: Bug#507633: libgnutls26: GnuTLS does not know VeriSign any more, Nikos Mavrogiannopoulos, 2008/12/10
- Re: Bug#507633: libgnutls26: GnuTLS does not know VeriSign any more, Simon Josefsson, 2008/12/11