[gnutls-devel] Incorrect implementation of path length constraints?

Kurt Roeckx kurt at roeckx.be
Sun Dec 13 20:16:15 CET 2015 

On Sun, Dec 13, 2015 at 07:31:03PM +0100, Andreas Metzler wrote:
> On 2015-12-13 Kurt Roeckx <kurt at roeckx.be> wrote:
> > On Sun, Dec 13, 2015 at 05:42:24PM +0100, Nikos Mavrogiannopoulos wrote:
> >> On Wed, 2015-12-09 at 23:29 +0100, Kurt Roeckx wrote:
> [...]
> >>> A test site it www.abb.com.
> [...]
> >>  I haven't checked the details by trying this website with a recent
> >> gnutls version it works. Which version of gnutls do you test with?
> 
> > I'm using 3.3.15.
> 
> Hello,
> 
> does this show up as a connection error? gnutls-cli from both 3.4.6
> and 3.3.18 connect successfully.

So I just tried the 3.3.18 version instead, and that does work
properly.  This is what I see with 3.3.15 (and 3.3.8):
$ gnutls-cli www.abb.com
Processed 180 CA certificate(s).
Resolving 'www.abb.com'...
Connecting to '138.224.0.100:443'...
- Certificate type: X.509
- Got a certificate list of 3 certificates.
- Certificate[0] info:
 - subject `C=CH,L=Baden,O=ABB Information Systems Ltd.,CN=www.abb.com', issuer `C=CH,L=Zurich,O=ABB,CN=ABB Issuing CA 6', RSA key 2048 bits, signed using RSA-SHA256, activated `2015-04-22 07:26:29 UTC', expires `2017-10-08 07:26:29 UTC', SHA-1 fingerprint `55107158d3f572284408cef640dd214954ef0467'
        Public Key ID:
                1a71541a0dbe7f2b027a916024dc9693e57014f6
        Public key's random art:
                +--[ RSA 2048]----+
                | . ..=*.++.      |
                |  o B= + o.      |
                |   + .o E        |
                |    o  o .       |
                |   . ...S        |
                |      +o .       |
                |     ..o  . .    |
                |    . . . .. .   |
                |     .   . ..    |
                +-----------------+

- Certificate[1] info:
 - subject `C=CH,L=Zurich,O=ABB,CN=ABB Issuing CA 6', issuer `C=CH,L=Zurich,O=ABB,CN=ABB Intermediate CA 3', RSA key 2048 bits, signed using RSA-SHA256, activated `2015-03-04 09:46:43 UTC', expires `2020-03-04 09:56:43 UTC', SHA-1 fingerprint `b9a59051ca53f6577223c43eec2493839343fe4d'
- Certificate[2] info:
 - subject `C=CH,L=Zurich,O=ABB,CN=ABB Intermediate CA 3', issuer `C=IE,O=Baltimore,OU=CyberTrust,CN=Baltimore CyberTrust Root', RSA key 2048 bits, signed using RSA-SHA256, activated `2015-05-21 18:52:53 UTC', expires `2022-05-21 18:52:20 UTC', SHA-1 fingerprint `e12ba5aeb7613a72cc9652f1673017a5d8fc7479'
- Status: The certificate is NOT trusted. The certificate chain violates the signer's constraints.
*** PKI verification of server certificate failed...
*** Fatal error: Error in the certificate.
*** Handshake has failed
GnuTLS error: Error in the certificate.



Kurt

More information about the Gnutls-devel mailing list