[gnutls-devel] turkish CA certificate

Kurt Roeckx kurt at roeckx.be
Fri Jun 6 18:11:59 CEST 2014

On Fri, Jun 06, 2014 at 03:59:51PM +0200, Ludwig Nussel wrote:
> Nikos Mavrogiannopoulos wrote:
> >On Fri, Jun 6, 2014 at 8:53 AM, Dmitriy Anisimkov <anisimkov at ada-ru.org> wrote:
> >>I got this certificate from OpenSUSE repository
> >>packageca-certificates-mozilla,
> >>I guess it is trusted and public available.
> >>OpenSSL shows it correctly
> >>openssl x509 -in TURKTRUST_Certificate_Services_Provider_Root_1.pem.crt
> >>-text -noout
> >>But GNUTLS command
> >>certtool --infile TURKTRUST_Certificate_Services_Provider_Root_1.pem -i
> >
> >Hello,
> >  This must be the same certificate Kurt reported few days ago. It
> >mis-encodes the country name as UTF8String rather than printable
> >string, and this is the reason decoding fails.
> >RFC5280 is strict on the encoding of countryName and that is a PrintableString:
> >X520countryName ::=     PrintableString (SIZE (2))
> >
> >I guess all other implementations give some slack to the spec and
> >that's why they didn't notice. How important is that certificate would
> >it make sense to work around and allow such invalid encodings?
> If the certificate violates the spec it might also be worth reporting to
> mozilla so they don't accept such certificates in the first place.

This is actually on my list of things to do.  I think have found a
2nd issuer but didn't have time to look at it yet.


More information about the Gnutls-devel mailing list