[gnutls-devel] GnuTLS | Valid CA certificate rejected by GnuTLS (#693)

Mon Feb 4 20:51:27 CET 2019

New Issue was created.

Issue 693: https://gitlab.com/gnutls/gnutls/issues/693
Author:    Tavis Ormandy
Assignee:  

## Description of problem:

The routine gnutls_certificate_set_x509_trust_file() fails if the valid certificate [SSL Blindado PRO EV](https://crt.sh/?q=d6dc2aaea926ff94854e7d3eb310c6349714e8e6) is in the specified file.

## Version of gnutls used:

gnutls-3.6.6.tar.xz

## Distributor of gnutls (e.g., Ubuntu, Fedora, RHEL)

Built from source.

## How reproducible:

Steps to Reproduce:

 * Compile this program:

```
#include <gnutls/gnutls.h>
#include <gnutls/x509.h>
#include <stdio.h>

int main(int argc, char **argv)
{
    gnutls_certificate_credentials_t cred;
    int count;
    gnutls_global_init();
    gnutls_certificate_allocate_credentials(&cred);
    count = gnutls_certificate_set_x509_trust_file(cred, "cafile.pem", GNUTLS_X509_FMT_PEM);
    fprintf(stderr, "GnuTLS processed %d roots\n", count);
    gnutls_certificate_free_credentials(cred);
    return 0;
}
```

`$ gcc $(pkg-config --cflags --libs gnutls) testcase.c`

 * Download the certificate: `$ wget -O cafile.pem https://crt.sh/?d=12730101`
 * Observe error code: `$ ./a.out`

## Actual results:
```
$ ./a.out 
GnuTLS processed -43 roots
```

## Expected results:

```
$ ./a.out 
GnuTLS processed 1 roots

```

-- 
Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/693
You're receiving this email because of your account on gitlab.com.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnutls-devel/attachments/20190204/c0b8d620/attachment-0001.html>