Certificate expiration not checked by gnutls-cli [GNUTLS-SA-2009-3] [CVE-2009-1417]
Andreas Metzler
ametzler at downhill.at.eu.org
Sat Jan 9 16:34:08 CET 2010
On 2009-04-30 Simon Josefsson <simon at josefsson.org> wrote:
[...]
> We have set up three demo URLs with expired certificates for testing
> purposes:
> https://expired.demo.gnutls.org/ - Expired server certificate
[...]
> You can test them like this:
> jas at mocca:~$ gnutls-cli expired.demo.gnutls.org
> Resolving 'expired.demo.gnutls.org'...
> Connecting to '207.192.75.61:443'...
> - Ephemeral Diffie-Hellman parameters
> - Using prime: 2056 bits
> - Secret key: 2047 bits
> - Peer's public key: 2048 bits
> - Certificate type: X.509
> - Got a certificate list of 1 certificates.
> - Certificate[0] info:
> # The hostname in the certificate matches 'expired.demo.gnutls.org'.
> # valid since: Wed Apr 22 00:00:58 CEST 2009
> # expires at: Thu Apr 23 00:00:58 CEST 2009
> # fingerprint: 97:B9:94:8C:4F:29:31:56:CD:85:9F:8D:D5:4E:D2:4E
> # Subject's DN: CN=expired.demo.gnutls.org
> # Issuer's DN: O=CA for expired.demo.gnutls.org
> # error: certificate has expired
> jas at mocca:~$
> The expected behaviour is that gnutls-cli should complain that the
> certificate has expired for all URLs.
[...]
> if (status & GNUTLS_CERT_SIGNER_NOT_FOUND)
> printf ("- Peer's certificate issuer is unknown\n");
> + if (status & GNUTLS_CERT_NOT_ACTIVATED)
> + printf ("- Peer's certificate chain uses not yet valid certificate\n");
> + if (status & GNUTLS_CERT_EXPIRED)
> + printf ("- Peer's certificate chain uses expired certificate\n");
> if (status & GNUTLS_CERT_INVALID)
> printf ("- Peer's certificate is NOT trusted\n");
> else
Hello,
this test does not work for me with any version of gnutls. There is no
"error: certificate has expired" or even "Peer's certificate chain
uses expired certificate".
2.4.2+patch:
ametzler at argenau:~$ gnutls-cli expired.demo.gnutls.org
Resolving 'expired.demo.gnutls.org'...
Connecting to '207.192.75.61:443'...
- Ephemeral Diffie-Hellman parameters
- Using prime: 2056 bits
- Secret key: 2039 bits
- Peer's public key: 2048 bits
- Certificate type: X.509
- Got a certificate list of 1 certificates.
- Certificate[0] info:
# The hostname in the certificate matches 'expired.demo.gnutls.org'.
# valid since: Wed Apr 22 00:00:58 CEST 2009
# expires at: Thu Apr 23 00:00:58 CEST 2009
# fingerprint: 97:B9:94:8C:4F:29:31:56:CD:85:9F:8D:D5:4E:D2:4E
# Subject's DN: CN=expired.demo.gnutls.org
# Issuer's DN: O=CA for expired.demo.gnutls.org
- Peer's certificate issuer is unknown
- Peer's certificate is NOT trusted
- Version: TLS1.1
- Key Exchange: DHE-RSA
- Cipher: AES-128-CBC
- MAC: SHA1
- Compression: NULL
- Handshake was completed
2.8.5
(SID)ametzler at argenau:~$ gnutls-cli expired.demo.gnutls.org
Resolving 'expired.demo.gnutls.org'...
Connecting to '207.192.75.61:443'...
- Ephemeral Diffie-Hellman parameters
- Using prime: 2048 bits
- Secret key: 2047 bits
- Peer's public key: 2048 bits
- Certificate type: X.509
- Got a certificate list of 1 certificates.
- Certificate[0] info:
- subject `CN=expired.demo.gnutls.org', issuer `O=CA for expired.demo.gnutls.org', RSA key 2048 bits, signed using RSA-SHA, activated `2009-04-21 22:00:58 UTC', expires `2009-04-22 22:00:58 UTC', SHA-1 fingerprint `55f198f9ff1777e9f202e1ac268fe8946f0c84b9'
- The hostname in the certificate matches 'expired.demo.gnutls.org'.
- Peer's certificate issuer is unknown
- Peer's certificate is NOT trusted
- Version: TLS1.1
- Key Exchange: DHE-RSA
- Cipher: AES-128-CBC
- MAC: SHA1
- Compression: NULL
- Handshake was completed
2.9.9:
(SID)ametzler at argenau:~$ gnutls-cli expired.demo.gnutls.org
Resolving 'expired.demo.gnutls.org'...
Connecting to '207.192.75.61:443'...
- Ephemeral Diffie-Hellman parameters
- Using prime: 2048 bits
- Secret key: 2045 bits
- Peer's public key: 2045 bits
- Certificate type: X.509
- Got a certificate list of 1 certificates.
- Certificate[0] info:
- subject `CN=expired.demo.gnutls.org', issuer `O=CA for expired.demo.gnutls.org', RSA key 2048 bits, signed using RSA-SHA1, activated `2009-04-21 22:00:58 UTC', expires `2009-04-22 22:00:58 UTC', SHA-1 fingerprint `55f198f9ff1777e9f202e1ac268fe8946f0c84b9'
- The hostname in the certificate matches 'expired.demo.gnutls.org'.
- Peer's certificate issuer is unknown
- Peer's certificate is NOT trusted
- Version: TLS1.1
- Key Exchange: DHE-RSA
- Cipher: AES-128-CBC
- MAC: SHA1
- Compression: NULL
- Handshake was completed
cu andreas
--
`What a good friend you are to him, Dr. Maturin. His other friends are
so grateful to you.'
`I sew his ears on from time to time, sure'
More information about the Gnutls-devel
mailing list