[gnutls-devel] GnuTLS | GnuTLS reject a critical Policy Mappings (#1671)

Read-only notification of GnuTLS library development activities gnutls-devel at lists.gnutls.org
Mon Mar 3 09:04:11 CET 2025



dulanshuangqiao created an issue: https://gitlab.com/gnutls/gnutls/-/issues/1671



## Description of problem:
GnuTLS reject a cert with critical PolicyMappings.However OpenSSL accept it.According to RFC 5280, the ext PolicyMappings should be marked as critical.

## Version of gnutls used:
gnutls-cli 3.8.9

## Distributor of gnutls (e.g., Ubuntu, Fedora, RHEL)
Ubuntu

## How reproducible:

Steps to Reproduce:

 * one certtool --verify --load-ca-certificate RootCA.pem --infile Cert17408146207.pem [Cert17408146207.pem](/uploads/93d737f30c252d1e31cc02c358ad326c/Cert17408146207.pem)

[RootCA.pem](/uploads/89cc125c6597254bd0efca6f04746945/RootCA.pem)


## Actual results:
```
Loaded CAs (1 available)
	Subject: CN=www.mycompany1.com,OU=My Unit1,O=My Company1,L=MY Locality1,ST=My ST1,C=UN
	Issuer: CN=www.mycompany.com,OU=My Unit1,O=My Company1,L=MY Locality1,ST=My ST1,C=UN
	Checked against: CN=www.mycompany.com,OU=My Unit1,O=My Company1,L=MY Locality1,ST=My ST1,C=UN
	Signature algorithm: RSA-SHA256
	Output: Not verified. The certificate is NOT trusted. The certificate contains an unknown critical extension. 
Chain verification output: Not verified. The certificate is NOT trusted. The certificate contains an unknown critical extension. 
```

## Expected results:
Verified. The certificate is trusted.

-- 
Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1671
You're receiving this email because of your account on gitlab.com.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnutls-devel/attachments/20250303/974fce81/attachment.html>


More information about the Gnutls-devel mailing list