Certificate expiration not checked by gnutls-cli [GNUTLS-SA-2009-3] [CVE-2009-1417]

Andreas Metzler ametzler at downhill.at.eu.org
Sat Jan 9 16:34:08 CET 2010


On 2009-04-30 Simon Josefsson <simon at josefsson.org> wrote:
[...]
> We have set up three demo URLs with expired certificates for testing
> purposes:

> https://expired.demo.gnutls.org/ - Expired server certificate
[...]
> You can test them like this:

> jas at mocca:~$ gnutls-cli expired.demo.gnutls.org
> Resolving 'expired.demo.gnutls.org'...
> Connecting to '207.192.75.61:443'...
> - Ephemeral Diffie-Hellman parameters
>  - Using prime: 2056 bits
>  - Secret key: 2047 bits
>  - Peer's public key: 2048 bits
> - Certificate type: X.509
>  - Got a certificate list of 1 certificates.

>  - Certificate[0] info:
>  # The hostname in the certificate matches 'expired.demo.gnutls.org'.
>  # valid since: Wed Apr 22 00:00:58 CEST 2009
>  # expires at: Thu Apr 23 00:00:58 CEST 2009
>  # fingerprint: 97:B9:94:8C:4F:29:31:56:CD:85:9F:8D:D5:4E:D2:4E
>  # Subject's DN: CN=expired.demo.gnutls.org
>  # Issuer's DN: O=CA for expired.demo.gnutls.org
>  # error: certificate has expired
> jas at mocca:~$ 

> The expected behaviour is that gnutls-cli should complain that the
> certificate has expired for all URLs.
[...]
>        if (status & GNUTLS_CERT_SIGNER_NOT_FOUND)
>  	printf ("- Peer's certificate issuer is unknown\n");
> +      if (status & GNUTLS_CERT_NOT_ACTIVATED)
> +	printf ("- Peer's certificate chain uses not yet valid certificate\n");
> +      if (status & GNUTLS_CERT_EXPIRED)
> +	printf ("- Peer's certificate chain uses expired certificate\n");
>        if (status & GNUTLS_CERT_INVALID)
>  	printf ("- Peer's certificate is NOT trusted\n");
>        else


Hello,

this test does not work for me with any version of gnutls. There is no
"error: certificate has expired" or even "Peer's certificate chain
uses expired certificate".

2.4.2+patch:
ametzler at argenau:~$ gnutls-cli expired.demo.gnutls.org
Resolving 'expired.demo.gnutls.org'...
Connecting to '207.192.75.61:443'...
- Ephemeral Diffie-Hellman parameters
 - Using prime: 2056 bits
 - Secret key: 2039 bits
 - Peer's public key: 2048 bits
- Certificate type: X.509
 - Got a certificate list of 1 certificates.

 - Certificate[0] info:
 # The hostname in the certificate matches 'expired.demo.gnutls.org'.
 # valid since: Wed Apr 22 00:00:58 CEST 2009
 # expires at: Thu Apr 23 00:00:58 CEST 2009
 # fingerprint: 97:B9:94:8C:4F:29:31:56:CD:85:9F:8D:D5:4E:D2:4E
 # Subject's DN: CN=expired.demo.gnutls.org
 # Issuer's DN: O=CA for expired.demo.gnutls.org


- Peer's certificate issuer is unknown
- Peer's certificate is NOT trusted
- Version: TLS1.1
- Key Exchange: DHE-RSA
- Cipher: AES-128-CBC
- MAC: SHA1
- Compression: NULL
- Handshake was completed

2.8.5
(SID)ametzler at argenau:~$ gnutls-cli expired.demo.gnutls.org
Resolving 'expired.demo.gnutls.org'...
Connecting to '207.192.75.61:443'...
- Ephemeral Diffie-Hellman parameters
 - Using prime: 2048 bits
 - Secret key: 2047 bits
 - Peer's public key: 2048 bits
- Certificate type: X.509
 - Got a certificate list of 1 certificates.
 - Certificate[0] info:
  - subject `CN=expired.demo.gnutls.org', issuer `O=CA for expired.demo.gnutls.org', RSA key 2048 bits, signed using RSA-SHA, activated `2009-04-21 22:00:58 UTC', expires `2009-04-22 22:00:58 UTC', SHA-1 fingerprint `55f198f9ff1777e9f202e1ac268fe8946f0c84b9'
- The hostname in the certificate matches 'expired.demo.gnutls.org'.
- Peer's certificate issuer is unknown
- Peer's certificate is NOT trusted
- Version: TLS1.1
- Key Exchange: DHE-RSA
- Cipher: AES-128-CBC
- MAC: SHA1
- Compression: NULL
- Handshake was completed

2.9.9:
(SID)ametzler at argenau:~$ gnutls-cli expired.demo.gnutls.org
Resolving 'expired.demo.gnutls.org'...
Connecting to '207.192.75.61:443'...
- Ephemeral Diffie-Hellman parameters
 - Using prime: 2048 bits
 - Secret key: 2045 bits
 - Peer's public key: 2045 bits
- Certificate type: X.509
 - Got a certificate list of 1 certificates.
 - Certificate[0] info:
  - subject `CN=expired.demo.gnutls.org', issuer `O=CA for expired.demo.gnutls.org', RSA key 2048 bits, signed using RSA-SHA1, activated `2009-04-21 22:00:58 UTC', expires `2009-04-22 22:00:58 UTC', SHA-1 fingerprint `55f198f9ff1777e9f202e1ac268fe8946f0c84b9'
- The hostname in the certificate matches 'expired.demo.gnutls.org'.
- Peer's certificate issuer is unknown
- Peer's certificate is NOT trusted
- Version: TLS1.1
- Key Exchange: DHE-RSA
- Cipher: AES-128-CBC
- MAC: SHA1
- Compression: NULL
- Handshake was completed

cu andreas
-- 
`What a good friend you are to him, Dr. Maturin. His other friends are
so grateful to you.'
`I sew his ears on from time to time, sure'





More information about the Gnutls-devel mailing list