[gnutls-devel] GnuTLS | GnuTLS reject a critical Policy Mappings (#1671)
Read-only notification of GnuTLS library development activities
gnutls-devel at lists.gnutls.org
Mon Mar 3 09:04:11 CET 2025
dulanshuangqiao created an issue: https://gitlab.com/gnutls/gnutls/-/issues/1671
## Description of problem:
GnuTLS reject a cert with critical PolicyMappings.However OpenSSL accept it.According to RFC 5280, the ext PolicyMappings should be marked as critical.
## Version of gnutls used:
gnutls-cli 3.8.9
## Distributor of gnutls (e.g., Ubuntu, Fedora, RHEL)
Ubuntu
## How reproducible:
Steps to Reproduce:
* one certtool --verify --load-ca-certificate RootCA.pem --infile Cert17408146207.pem [Cert17408146207.pem](/uploads/93d737f30c252d1e31cc02c358ad326c/Cert17408146207.pem)
[RootCA.pem](/uploads/89cc125c6597254bd0efca6f04746945/RootCA.pem)
## Actual results:
```
Loaded CAs (1 available)
Subject: CN=www.mycompany1.com,OU=My Unit1,O=My Company1,L=MY Locality1,ST=My ST1,C=UN
Issuer: CN=www.mycompany.com,OU=My Unit1,O=My Company1,L=MY Locality1,ST=My ST1,C=UN
Checked against: CN=www.mycompany.com,OU=My Unit1,O=My Company1,L=MY Locality1,ST=My ST1,C=UN
Signature algorithm: RSA-SHA256
Output: Not verified. The certificate is NOT trusted. The certificate contains an unknown critical extension.
Chain verification output: Not verified. The certificate is NOT trusted. The certificate contains an unknown critical extension.
```
## Expected results:
Verified. The certificate is trusted.
--
Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1671
You're receiving this email because of your account on gitlab.com.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnutls-devel/attachments/20250303/974fce81/attachment.html>
More information about the Gnutls-devel
mailing list