[gnutls-devel] GnuTLS | certtool: --verify-profile option does not override system-wide priority configuration (#1772)
Read-only notification of GnuTLS library development activities
gnutls-devel at lists.gnutls.org
Tue Dec 9 10:51:38 CET 2025
Conor Tull created an issue: https://gitlab.com/gnutls/gnutls/-/issues/1772
When `certtool` is run on a system that utilizes a system-wide priority configuration (via `GNUTLS_SYSTEM_PRIORITY_FILE`), the system-wide defaults appear to take priority over the explicit command-line argument `--verify-profile` .
If the system policy enforces a security floor (e.g., 2048-bit RSA), passing `--verify-profile low` fails to allow verification of smaller keys (e.g., 1792-bit), returning a `GNUTLS_SEC_PARAM_MEDIUM` error.
**Steps to Reproduce:**
1. On a system with strict crypto-policies or by pointing `GNUTLS_SYSTEM_PRIORITY_FILE` to a strict config.
2. Generate a 1792-bit RSA key and self-signed certificate (simulating legacy artifacts).
3. Attempt to verify the certificate using the `low` profile.
`cat < legacy.cfg cn = "Test-Legacy" serial = 001 expiration_days = 1 signing_key encryption_key cert_signing_key ca EOF`
`GNUTLS_FORCE_FIPS_MODE=0 certtool --generate-privkey \
--rsa --bits 1792 --outfile 1792.key`
`GNUTLS_FORCE_FIPS_MODE=0 certtool --generate-self-signed \
--load-privkey 1792.key \
--template legacy.cfg \
--outfile 1792.pem`
`certtool --verify \
--verify-profile low \
--infile 1792.pem --load-ca-certificate 1792.pem`
**Actual Results:** The command fails even though `low` was requested. Debug logs (`-d 9`) show that the library asserts `GNUTLS_SEC_PARAM_MEDIUM`, indicating the system default is overriding the CLI flag.
`|<2>| GNUTLS_SEC_PARAM_MEDIUM: certificate's security level is unacceptable`\
`Chain verification output: Not verified. The certificate is NOT trusted.`
The CLI argument `--verify-profile low` should take precedence over the system configuration file. The user is explicitly opting into allowing weaker keys for this specific operation. If `GNUTLS_SYSTEM_PRIORITY_FILE=''` is included it works successfully.
`# This works successfully:
GNUTLS_SYSTEM_PRIORITY_FILE='' certtool --verify \
--verify-profile legacy \
--infile 1792.pem --load-ca-certificate 1792.pem
`
This suggests the issue is strict precedence logic where the system config is treated as a hard floor rather than a default.
--
Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1772
You're receiving this email because of your account on gitlab.com.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnutls-devel/attachments/20251209/b8bc82d1/attachment.html>
More information about the Gnutls-devel
mailing list