[gnutls-devel] DER decoding errors due to time format

Nikos Mavrogiannopoulos n.mavrogiannopoulos at gmail.com
Tue May 9 14:48:08 CEST 2017

 gnutls 3.5.x is more strict in certificate decoding and performs
various checks in the Time fields to ensure they are properly DER
formatted. However, it is seems that this caused regressions with
certain certificates generated by ovirt as seen in [0]. I am not sure
which software was used to generate the problematic ones, however, it
is most likely openssl, or some other open source software. Are you
aware of other or similar decoding issues which were a result of 3.5.x
being more strict in DER rules?

The options we have are:
 1. Ignore the error and insist on DER correctness in input certificates.
 2. Allow incorrect formatted time fields in certificates
unconditionally, e.g., with a special libtasn1 flag:

any other option I've missed? While I favor the first for its
simplicity, reality has shown over the years we must yield towards the
'work' part.


[0]. https://gitlab.com/gnutls/gnutls/issues/196

More information about the Gnutls-devel mailing list