[gnutls-devel] DER decoding errors due to time format

Daniel P. Berrange berrange at redhat.com
Tue May 9 15:04:33 CEST 2017

On Tue, May 09, 2017 at 02:48:08PM +0200, Nikos Mavrogiannopoulos wrote:
> Hi,
>  gnutls 3.5.x is more strict in certificate decoding and performs
> various checks in the Time fields to ensure they are properly DER
> formatted. However, it is seems that this caused regressions with
> certain certificates generated by ovirt as seen in [0]. I am not sure
> which software was used to generate the problematic ones, however, it
> is most likely openssl, or some other open source software. Are you
> aware of other or similar decoding issues which were a result of 3.5.x
> being more strict in DER rules?
> The options we have are:
>  1. Ignore the error and insist on DER correctness in input certificates.
>  2. Allow incorrect formatted time fields in certificates
> unconditionally, e.g., with a special libtasn1 flag:
> https://gitlab.com/gnutls/libtasn1/commit/16bad0c72dcdfbe5512cdd6b46b251ab7484e5dc
> any other option I've missed? While I favor the first for its
> simplicity, reality has shown over the years we must yield towards the
> 'work' part.

Have you succeeded in getting any contact with oVirt community to find
out how they are generating their certs ? That might give some clarity
on whether it is just a minor bug in their code, vs following common/
wide practice. It isn't clear if it even affects all oVirt users or
just some subset of them, vs likely to affect large numbers of non-oVirt
users too

While being lenient in what you accept has been a good strategy in many
cases, it feels like the web browser vendors in general have changed
tack over the past few years, to favour strictness wrt TLS/x509.

|: https://berrange.com      -o-    https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org         -o-            https://fstop138.berrange.com :|
|: https://entangle-photo.org    -o-    https://www.instagram.com/dberrange :|

More information about the Gnutls-devel mailing list