gnutls fails to use Verisign CA cert without a Basic Constraint

Douglas E. Engert deengert at anl.gov
Mon Feb 2 17:40:58 CET 2009



Simon Josefsson wrote:
> "Douglas E. Engert" <deengert at anl.gov> writes:
> 
>> Simon Josefsson wrote:
>>> If the patch is over 10 lines long we will need a copyright assignment
>>> before we can apply it though.  If you want to speed up the process, you
>>> could fill out the form below now.
>>>
>> I sent in the form to assign at gnu.org. They are sending a paper copy
>> which must be signed and mailed back. This may be a problem, as I will
>> have to get it OK'ed, which might take weeks.
>>
>> So here is the short version of a "shorten the cert chain" patch that
>> is only 10 lines long. Do with it what you want. As this fixes
>> our problem, I consider it a bug fix.
>>
>> But you will need to add a check_if_same_cert routine, which can be
>> taken from the first half of the check_if_ca routine. The line numbers
>> may be off, but in the 2.6.3 version, it would be inserted at line 394.
>>
>> This will also solve our problem, as V1 cert will not get used at all
>> ans the intermediate cert is trusted and is V3.
> 
> Thanks for the patch.  I started looking at this now, and there is a
> small problem: the code removes certificates from the certificate chain
> before the CRL code has had a chance to check whether certificates in
> the chain are revoked.  I think the best is to move the CRL checking
> code up a bit.

But the certs it removes are ones that you have in your trusted list.
Are you saying that you don't check CRLs for the trusted certs? Should
you? Without the mod, is there a security concern if an attacker sends
in a short list, in effect duplicating what the mod does?

> 
> I'll try to get a new 2.6.x and 2.4.x release out, and then look further
> at getting your patch into the 2.7.x branch.  I'm rather busy this week
> though, so may not have time until next week.
> 

I am at the ISOC NDSS meeting next week, so am busy too.


> /Simon
> 
> 

-- 

  Douglas E. Engert  <DEEngert at anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444





More information about the Gnutls-devel mailing list