[gnutls-devel] GnuTLS | verification error on duplicate server cert in chain (#1335)

Read-only notification of GnuTLS library development activities gnutls-devel at lists.gnutls.org
Mon Mar 14 18:22:02 CET 2022

Andreas Metzler commented:

Daiki Ueno @dueno · wrote 8 hours ago
> I can't reproduce it with PKCS#11 trust store, so I guess the issue is in the non-PKCS#11 code path in lib/x509/verify-high*.c

Indeed `certtool --infile=/tmp/ci.pem --verify --load-ca-certificate="pkcs11:model=p11-kit-trust;manufacturer=PKCS%2311%20Kit;serial=1;token=System%20Trust"` succeds where `certtool --infile=/tmp/ci.pem --verify` failed. (gnutls built with --with-default-trust-store-file=/etc/ssl/certs/ca-certificates.crt / p11-kit with --with-trust-paths=/etc/ssl/certs/ca-certificates.crt).

ci.debian.net cannot be used as testcase with gnutls-cli anymore, the duplicate cert has been removed from its certificate list.

Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1335#note_874071418
You're receiving this email because of your account on gitlab.com.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnutls-devel/attachments/20220314/aa472831/attachment.html>

More information about the Gnutls-devel mailing list