[gnutls-devel] Name constraint error?

Kurt Roeckx kurt at roeckx.be
Sun Dec 20 18:35:26 CET 2015


On Sun, Dec 20, 2015 at 07:09:13PM +0200, Nikos Mavrogiannopoulos wrote:
> On Sun, Dec 20, 2015 at 5:37 PM, Andreas Metzler <ametzler at bebt.de> wrote:
> > The error happens at the CA->intermed step.
> > host
> >         Issuer: C=GR,O=Aristotle University of Thessaloniki,CN=Aristotle University of Thessaloniki Central CA R5
> >         Subject: C=GR,O=Aristotle University of Thessaloniki,OU=IT Center,CN=cdn.it.auth.gr
> > intermed CA
> >         Issuer: C=GR,O=Hellenic Academic and Research Institutions Cert. Authority,CN=Hellenic Academic and Research Institutions RootCA 2011
> >         Subject: C=GR,O=Aristotle University of Thessaloniki,CN=Aristotle University of Thessaloniki Central CA R5
> > root CA
> >         Issuer: C=GR,O=Hellenic Academic and Research Institutions Cert. Authority,CN=Hellenic Academic and Research Institutions RootCA 2011
> >         Subject: C=GR,O=Hellenic Academic and Research Institutions Cert. Authority,CN=Hellenic Academic and Research Institutions RootCA 2011
> >                 Name Constraints (not critical):
> >                         Permitted:
> >                                 DNSname: .gr
> >                                 DNSname: .eu
> >                                 DNSname: .edu
> >                                 DNSname: .org
> >                                 RFC822Name: .gr
> >                                 RFC822Name: .eu
> >                                 RFC822Name: .edu
> >                                 RFC822Name: .org
> > I suspect that the Name Constraints might cause the error.
> 
> Indeed. That's one of the few CAs using name constraints and
> unfortunately it uses them wrong.
> I had an open issue at https://gitlab.com/gnutls/gnutls/issues/3
> which was resolved at the 3.4.x branch.

I couldn't remember the details earlier but this certificate is
exactly why OpenSSL changed it's behaviour about a year ago.


Kurt




More information about the Gnutls-devel mailing list