[gnutls-devel] GnuTLS | cockpit-certificate-ensure: ../../../lib/x509/common.c:1756: _gnutls_sort_clist: Assertion `k == clist_size' failed. (#1521)

Read-only notification of GnuTLS library development activities gnutls-devel at lists.gnutls.org
Thu Jan 4 06:30:59 CET 2024

Daiki Ueno commented on a discussion: https://gitlab.com/gnutls/gnutls/-/issues/1521#note_1713449674

> KeyRootA_SignedB is the key from A signed by B (cross-signed).

By "key" do you mean an X.509 private key? From the GnuTLS API point of view, it is not supported to mix certificates and keys in a single certificate chain, unless Cockpit is doing a special treatment for that.

> A,B, and C are not in the trust store of the cockpit host, but it is serving these certs and not validating them so I don't expect this would matter.

I'm not familiar with Cockpit, but as this issue is about validating a certificate chain with `cockpit-certificate-ensure`, I guess you would need to tell the tool that any of those root certificates are trusted?

@martinpitt would you be able to shed some light on this?

In any case, it would be helpful if you could create a similar certificate chain that could reproduce the issue.

Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1521#note_1713449674
You're receiving this email because of your account on gitlab.com.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnutls-devel/attachments/20240104/a7d369e3/attachment.html>

More information about the Gnutls-devel mailing list