[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: gnutls fails to use Verisign CA cert without a Basic Constraint
From: |
Douglas E. Engert |
Subject: |
Re: gnutls fails to use Verisign CA cert without a Basic Constraint |
Date: |
Fri, 09 Jan 2009 10:40:53 -0600 |
User-agent: |
Thunderbird 2.0.0.19 (Windows/20081209) |
Simon Josefsson wrote:
Simon Josefsson <address@hidden> writes:
"Douglas E. Engert" <address@hidden> writes:
Attached are the server cert (auth2.it.anl.gov), the intermediate cert
(f0a38a80.0)
and the CA self signed cert (7651b327.0)
Thanks, I can reproduce the problem. Should be fixed with this patch:
http://git.savannah.gnu.org/cgit/gnutls.git/commit/
Sorry, that link was wrong. For the 2.6.x branch the proper link is:
http://git.savannah.gnu.org/gitweb/?p=gnutls.git;a=commitdiff;h=423fc8b82f2b9aa3ea820cd5cf75d5813dffbbf0
Please test the patch and confirm whether or not it works for you. I
think we should do a new 2.6.x release to deal with this.
I tried the patch against the Ubuntu version, but it still fails. Looking
at 2.6.3 and the Ubuntu version I don't see any differences in this area.
When using ldasearch, gnutls_x509_crl_verify is called with flags=0.
I don't see where GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT or
GNUTLS_VERIFY_ALLOW_ANY_X509_V1_CA_CRT are set.
I do see that the src/cli.c in the init_global_tls_stuff but cli.c is
a test program(?) and not part of the lib.
I do see that in 2.6.3 lib/x509/verify.c will XOR?
it at line 444 (2.6.3 version) flags ^= GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT;
But that is too late,
as _gnutls_verify_certificate2 is called at line 402 with flags=0.
Also should line 444 be |= rather the ^= ?
The latest daily build contains all fixes, so everyone, please test this
as if it were a new 2.6.x release:
http://daily.josefsson.org/gnutls-2.6/gnutls-2.6-20090109.tar.gz
It is a good time to raise other problems with 2.6.x now.
Thanks,
/Simon
--
Douglas E. Engert <address@hidden>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444
- gnutls fails to use Verisign CA cert without a Basic Constraint, Douglas E. Engert, 2009/01/07
- Re: gnutls fails to use Verisign CA cert without a Basic Constraint, Simon Josefsson, 2009/01/08
- Re: gnutls fails to use Verisign CA cert without a Basic Constraint, Douglas E. Engert, 2009/01/08
- Re: gnutls fails to use Verisign CA cert without a Basic Constraint, Simon Josefsson, 2009/01/09
- Re: gnutls fails to use Verisign CA cert without a Basic Constraint, Simon Josefsson, 2009/01/09
- Re: gnutls fails to use Verisign CA cert without a Basic Constraint, Tomas Mraz, 2009/01/09
- Re: gnutls fails to use Verisign CA cert without a Basic Constraint, Simon Josefsson, 2009/01/09
- Re: gnutls fails to use Verisign CA cert without a Basic Constraint, Tomas Mraz, 2009/01/09
- Re: gnutls fails to use Verisign CA cert without a Basic Constraint,
Douglas E. Engert <=
- Re: gnutls fails to use Verisign CA cert without a Basic Constraint, Simon Josefsson, 2009/01/09
- Re: gnutls fails to use Verisign CA cert without a Basic Constraint, Daniel Kahn Gillmor, 2009/01/09
- Re: gnutls fails to use Verisign CA cert without a Basic Constraint, Simon Josefsson, 2009/01/10
- Re: gnutls fails to use Verisign CA cert without a Basic Constraint, Douglas E. Engert, 2009/01/09
- Re: gnutls fails to use Verisign CA cert without a Basic Constraint, Simon Josefsson, 2009/01/10
- Re: gnutls fails to use Verisign CA cert without a Basic Constraint, Nikos Mavrogiannopoulos, 2009/01/10
- Re: gnutls fails to use Verisign CA cert without a Basic Constraint, Simon Josefsson, 2009/01/11
- Re: gnutls fails to use Verisign CA cert without a Basic Constraint, Douglas E. Engert, 2009/01/12
- Re: gnutls fails to use Verisign CA cert without a Basic Constraint, Douglas E. Engert, 2009/01/12
- Re: gnutls fails to use Verisign CA cert without a Basic Constraint, Simon Josefsson, 2009/01/12