[gnutls-devel] GnuTLS | GnuTLS accepts a critical Subject Key Identifier (#1672)
Read-only notification of GnuTLS library development activities
gnutls-devel at lists.gnutls.org
Mon Mar 3 13:06:05 CET 2025
dulanshuangqiao created an issue: https://gitlab.com/gnutls/gnutls/-/issues/1672
## Description of problem:
GnuTLS accepts a critical Subject Key Identifier. OpenSSL and WolfSSL reject it. RFC 5280 requires the ext SKI must be marked as non-critical.
## Version of gnutls used:
gnutls-cli 3.8.9
## Distributor of gnutls (e.g., Ubuntu, Fedora, RHEL)
Ubuntu
## How reproducible:
Steps to Reproduce:
* one certtool --verify --load-ca-certificate RootCA.pem --infile Cert17408142963.pem [Cert17408142963.pem](/uploads/7163941bc5e98a343961839ab277cd27/Cert17408142963.pem)[RootCA.pem](/uploads/2eef74ceb38fe45241449d368ea4fe4a/RootCA.pem)
## Actual results:
```
Loaded CAs (1 available)
Setting log level to 10
Subject: CN=www.mycompany1.com,OU=My Unit1,O=My Company1,L=MY Locality1,ST=My ST1,C=UN
Issuer: CN=www.mycompany.com,OU=My Unit1,O=My Company1,L=MY Locality1,ST=My ST1,C=UN
Checked against: CN=www.mycompany.com,OU=My Unit1,O=My Company1,L=MY Locality1,ST=My ST1,C=UN
Signature algorithm: RSA-SHA256
Output: Verified. The certificate is trusted.
Chain verification output: Verified. The certificate is trusted.
```
## Expected results:
Consistent verification results among GnuTLS and other TLS implementations.
OpenSSL:error 34 at 0 depth lookup: unhandled critical extension
WolfSSL:wolfSSL_CertManagerVerify failed with return code -160 and error message X.509 Critical extension ignored or invalid
--
Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1672
You're receiving this email because of your account on gitlab.com.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnutls-devel/attachments/20250303/d7cdcb19/attachment.html>
More information about the Gnutls-devel
mailing list