[gnutls-devel] GnuTLS | GnuTLS allows version one and two certificates in TLS 1.2 during client authentication (#1030)
Development of GNU's TLS library
gnutls-devel at lists.gnutls.org
Thu Jun 11 15:04:31 CEST 2020
Immortalem created an issue: https://gitlab.com/gnutls/gnutls/-/issues/1030
## Description of problem:
The specification for TLS 1.2 ([RFC 5246](https://tools.ietf.org/html/rfc5246#section-7.4.6)) requires the usage of X.509v3 certificates for entity authentication. GnuTLS allows the usage of version one and two certificates.
## Version of gnutls used:
3.6.13, 3.6.14
## Distributor of gnutls (e.g., Ubuntu, Fedora, RHEL)
Compiled from source after cloning the respective branch from GitHub
## How reproducible:
Steps to Reproduce:
* Start `gnutls-serv` with
- [ROOTv3_CAv3_LEAF_RSAv3__leaf_certificate1.pem](/uploads/8e79d085d9f7ada8e9f088c0b21f268d/ROOTv3_CAv3_LEAF_RSAv3__leaf_certificate1.pem) for `--x509certfile`
- [rsakey_2.pem](/uploads/27f047de54220503eca641dde9f9bb2e/rsakey_2.pem) for `--x509keyfile`
- [root.pem](/uploads/b080bace5ded73971868664aa18d6dc0/root.pem) for `--x509cafile`
- require client certificate `-r`
- verify client certificate `--verify-client-cert`
* Use OpenSSL `s_client` or similar tool to connect to the server using the following two certificates. This example uses OpenSSL.
- `openssl s_client -connect localhost:4433 -cert ROOTv3_CAv3_LEAF_RSAv2__leaf_certificate1.pem -key rsakey_2.pem -CAfile ROOTv3_CAv3_LEAF_RSAv2__ca_certificate1.pem`
- [ROOTv3_CAv3_LEAF_RSAv2__leaf_certificate1.pem](/uploads/ba0ef0d0e622226b559446b45fe16c4e/ROOTv3_CAv3_LEAF_RSAv2__leaf_certificate1.pem)
- [ROOTv3_CAv3_LEAF_RSAv2__ca_certificate1.pem](/uploads/644009f2a69240eba7908169940591ab/ROOTv3_CAv3_LEAF_RSAv2__ca_certificate1.pem)
- [rsakey_2.pem](/uploads/27f047de54220503eca641dde9f9bb2e/rsakey_2.pem)
For version one the certificates are:
- [ROOTv3_CAv3_LEAF_RSAv1__leaf_certificate1.pem](/uploads/322173f1e006247727e5961fec128c5a/ROOTv3_CAv3_LEAF_RSAv1__leaf_certificate1.pem)
- [ROOTv3_CAv3_LEAF_RSAv1__ca_certificate1.pem](/uploads/290501bc7cf402d9101ed35d7af45378/ROOTv3_CAv3_LEAF_RSAv1__ca_certificate1.pem)
- [rsakey_2.pem](/uploads/27f047de54220503eca641dde9f9bb2e/rsakey_2.pem)
## Actual results:
GnuTLS accepts the certificates as valid and proceeds with the handshake.
## Expected results:
GnuTLS should reject the certificates and abort the handshake.
--
Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1030
You're receiving this email because of your account on gitlab.com.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnutls-devel/attachments/20200611/2ae295f9/attachment-0001.html>
More information about the Gnutls-devel
mailing list