[gnutls-devel] SSL certificate validation bugs in GnuTLS

Suman Jana suman at cs.utexas.edu
Thu Feb 13 09:28:10 CET 2014

  Hi Nikos,

  Thanks for your response. Please find my inline comments.
>> 2. Path length constraints in CA certs should be enforced. GnuTLS ignores
>> Path length constraints.
> Which version of gnutls did you use? GnuTLS supports path length
> constraints for quite some time now.
  We found the bug in GnuTLS 3.1.9. As you mentioned, GnuTLS 3.1.9 
indeed parses
  the path length constraints. However, it doesn't enforce them. During 
CA certificate
  verification, the function "check_if_ca" is called from verify.c. 
"check_if_ca" is defined in
  lib/x509/x509.c as follows -

   gnutls_x509_crt_get_ca_status (gnutls_x509_crt_t cert, unsigned int 
     int pathlen;
     unsigned int ca;
     return gnutls_x509_crt_get_basic_constraints (cert, critical, &ca,

   The problem is that the pathlen value is never checked.

> GnuTLS will support name
> constraints when there is a reasonable profile defined. As it is now,
> the PKIX name constraints are a mess.
   While I do agree with you that name constraints are quite messy, I'll 
like to point
   out that several other open source SSL libraries that we tested 
(e.g., OpenSSL, PolarSSL,
   ,NSS, Bouncy Castle) support them.


More information about the Gnutls-devel mailing list