[gnutls-devel] GnuTLS | Certificate is considered as invalid if trust store contains CA cert with duplicating extensions (#1255)

Read-only notification of GnuTLS library development activities gnutls-devel at lists.gnutls.org
Wed Sep 1 16:37:40 CEST 2021

Roman Kulikov commented:

> the dup-exts.pem is there only for the [negative test case](https://gitlab.com/gnutls/gnutls/-/blob/master/tests/cert-tests/x509-duplicate-ext.sh)

Sure. I've just used it to illustrate the problem.

> but I think it's an issue in the trust store setup; i.e., all the contained certs must be in a valid form

Well, this is may be the main question: do we really need to treat _every_ certificate as invalid if trust store contains _only one_ invalid root? From my point as a regular user this should not happen and evert certificate should be treated as valid if its trust chain goes to valid root certificate in trust store.

> Wouldn't it be possible to adjust the trust store not to include such certs (I'm not sure how it's done on macOS)?

Yes, it is possible. And I've submitted pull request to Homebrew project fixing this. But nevertheless it would be great to make GnuTLS a bit more robust in such error condition.

Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1255#note_666437024
You're receiving this email because of your account on gitlab.com.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnutls-devel/attachments/20210901/2a98bccc/attachment.html>

More information about the Gnutls-devel mailing list