gnutls fails to use Verisign CA cert without a Basic Constraint

Douglas E. Engert deengert at anl.gov
Mon Jan 12 17:09:41 CET 2009 

OK, see form below.


Simon Josefsson wrote:
> "Douglas E. Engert" <deengert at anl.gov> writes:
> 
>> Simon Josefsson wrote:
>>> "Douglas E. Engert" <deengert at anl.gov> writes:
>>>
>>>> Simon Josefsson wrote:
>>>>
>>>>> The default is to reject V1 CA's, so the application need to supply
>>>>> either flag if they want a particular behaviour.
>>>>>
>>>>> By default, gnutls_x509_crt_list_verify rejects V1 CAs, but it takes a
>>>>> flags parameter.  If you call the verification through
>>>>> gnutls_session_verify_peers, you can use the
>>>>> gnutls_certificate_set_verify_flags function to set the flags to use
>>>>> (like cli.c does).
>>>> That will be a problem, as the application is ldap used by nss-ldap.
>>>> I have not looked at how they call gnutls, but we don't want to have to
>>>> changes these too.
>>>>
>>>> One could argue the application already provides the list of CA certs
>>>> it is willing to trust, so why does it need to provide an additional flag?
>>> I believe it would break ABI/API compatibility to change this now --
>>> applications assume that V1 CA are rejected since that has been the
>>> documented behaviour for several years.
>>>
>>> It seems like a bug in the ldap/nss-ldap code that it doesn't pass the
>>> V1 flag if it really wants GnuTLS to permit V1 CA's.
>> Its not the application that wants it. As far as I can tell previous
>> versions of ldap using OpenLDAP do not have the problem, and only
>> after Ubuntu back ported the December fixes did this problem start
>> occuring.
> 
> The December fixes solved a security problem where some CA certificates
> were simply ignored by the validation code, so maybe it only worked by
> accident before.
> 
>> I understand that you don't want to change your code.
> 
> I don't see anything wrong with the code -- with the patch installed on
> gnutls 2.6.x, it should behave as per the documentation.
> 
>>> For things that aren't documented, I think we can be pragmatic and come
>>> up with quick fixes and apply them to the v2.6.x branch as needed.  But
>>> anything that changes documented and intended behaviour is not
>>> appropriate for our stable branch IMHO.
>>>
>>>> If the code change on you TODO list to stop when an intermediate CA cert
>>>> is found on the trusted CA list, then this would solve my problem,
>>>> as the intermediate cert is V3 and has CA:TRUE, and is trusted.
>>> Yup.  Fixing that would be neat, and could go onto the v2.7.x branch
>>> which we could release as the next stable branch relatively quickly.
>> Actually I wrote a mod on this Friday, to do this. I need to clean it
>> up today and send it in for your review.
>>
>> The CA in question is a Verisign cert used to sign an intermediate cert:
>> http://www.verisign.com/support/verisign-intermediate-ca/secure-site-intermediate/index.html
>> So trusting this intermediate V3 cert would work for us.
> 
> Thanks!  Several people have asked about this feature, solving it would
> be useful.
> 
> If the patch is over 10 lines long we will need a copyright assignment
> before we can apply it though.  If you want to speed up the process, you
> could fill out the form below now.
> 
> /Simon
> 
> Please email the following information to assign at gnu.org, and we
> will send you the assignment form for your past and future changes.
> 
> Please use your full legal name (in ASCII characters) as the subject
> line of the message.
> ----------------------------------------------------------------------
> REQUEST: SEND FORM FOR PAST AND FUTURE CHANGES
> 
> [What is the name of the program or package you're contributing to?]

GnuTLS
> 
> 
> [Did you copy any files or text written by someone else in these changes?
> Even if that material is free software, we need to know about it.]

No.

> 
> 
> [Do you have an employer who might have a basis to claim to own
> your changes?  Do you attend a school which might make such a claim?]

No. No.

> 
> 
> [For the copyright registration, what country are you a citizen of?]

U.S.

> 
> 
> [What year were you born?]

1946
> 
> 
> [Please write your email address here.]

deengert at anl.gov
> 
> 
> [Please write your postal address here.]

  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
> 
> 
> 
> 
> 
> [Which files have you changed so far, and which new files have you written
> so far?]

Changed: src/lib/x509/verify.c


> 
> 

-- 

  Douglas E. Engert  <DEEngert at anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444

More information about the Gnutls-devel mailing list