Re: Security implications of (not using) GNUTLS_VERIFY_DO_NOT_ALLOW_SAME

[Simon Josefsson]

Lars Noschinski <address@hidden> writes:

> Hi,
>
> I am wondering when the flag GNUTLS_VERIFY_DO_NOT_ALLOW_SAME should be
> used. I've seen it in use in the Wocky library[0], which is used by the
> instant messenger client empathy.
>
> This flag seems to prevent connections to servers using certificates
> from CAcert.org, as their root and class3 certificates[1] use MD5 and are
> hence deemed insecure by gnutls; i.e.
>
>     $ gnutls-cli jabberd.jabber.ccc.de --x509cafile /tmp/cacert.crt
>
> succeeds (where cacert.crt is the concatenation of both the cacert.org
> certificates), but if I patch gnutls-cli to set
> GNUTLS_VERIFY_DO_NOT_ALLOW_SAME, it fails.
>
> Now, this is probably intended behaviour for GnuTLS, but I wonder
> whether this flag is a sensible choice for such a client application?

I don't see any normal situation where this flag is useful.

I'm not sure the behaviour you see is actually intended, I don't see why
it should reject the chain here.  So it may be a bug...

The flag _may_ be useful if you have a X.509 Version 1 certificate as a
trust anchor.  You may want to trust a X.509v1 CA for verifying server
certificates signed by the X.509v1 CA, but you definitely do not want to
accept that certificate as the server certificate (because there are no
name restriction extensions).  On the other hand, you shouldn't use
X.509v1 certificates anyway...

/Simon