gnutls fails to use Verisign CA cert without a Basic Constraint
Douglas E. Engert
deengert at anl.gov
Mon Jan 12 16:37:10 CET 2009
Simon Josefsson wrote:
> "Douglas E. Engert" <deengert at anl.gov> writes:
>> Simon Josefsson wrote:
>>> The default is to reject V1 CA's, so the application need to supply
>>> either flag if they want a particular behaviour.
>>> By default, gnutls_x509_crt_list_verify rejects V1 CAs, but it takes a
>>> flags parameter. If you call the verification through
>>> gnutls_session_verify_peers, you can use the
>>> gnutls_certificate_set_verify_flags function to set the flags to use
>>> (like cli.c does).
>> That will be a problem, as the application is ldap used by nss-ldap.
>> I have not looked at how they call gnutls, but we don't want to have to
>> changes these too.
>> One could argue the application already provides the list of CA certs
>> it is willing to trust, so why does it need to provide an additional flag?
> I believe it would break ABI/API compatibility to change this now --
> applications assume that V1 CA are rejected since that has been the
> documented behaviour for several years.
> It seems like a bug in the ldap/nss-ldap code that it doesn't pass the
> V1 flag if it really wants GnuTLS to permit V1 CA's.
Its not the application that wants it. As far as I can tell previous versions
of ldap using OpenLDAP do not have the problem, and only after Ubuntu
back ported the December fixes did this problem start occuring.
I understand that you don't want to change your code.
> Nikos, what do you think? You wrote the code here, and introduced the
> work-around flags to deal with V1 certs.
Also, as Daniel Kahn Gillmor pointed out, to clear the bit
needs this change:
> - flags ^= GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT;
> + flags &= ~GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT;
But this would not solve the problem either.
> For things that aren't documented, I think we can be pragmatic and come
> up with quick fixes and apply them to the v2.6.x branch as needed. But
> anything that changes documented and intended behaviour is not
> appropriate for our stable branch IMHO.
>> If the code change on you TODO list to stop when an intermediate CA cert
>> is found on the trusted CA list, then this would solve my problem,
>> as the intermediate cert is V3 and has CA:TRUE, and is trusted.
> Yup. Fixing that would be neat, and could go onto the v2.7.x branch
> which we could release as the next stable branch relatively quickly.
Actually I wrote a mod on this Friday, to do this. I need to clean it
up today and send it in for your review.
The CA in question is a Verisign cert used to sign an intermediate cert:
So trusting this intermediate V3 cert would work for us.
Douglas E. Engert <DEEngert at anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
More information about the Gnutls-devel