[gnutls-devel] GnuTLS | GnuTLS accepts a critical Subject Key Identifier (#1672)

Read-only notification of GnuTLS library development activities gnutls-devel at lists.gnutls.org
Mon Mar 3 13:06:05 CET 2025



dulanshuangqiao created an issue: https://gitlab.com/gnutls/gnutls/-/issues/1672



## Description of problem:
GnuTLS accepts a critical Subject Key Identifier. OpenSSL and WolfSSL reject it. RFC 5280 requires the ext SKI must be marked as non-critical.

## Version of gnutls used:
gnutls-cli 3.8.9

## Distributor of gnutls (e.g., Ubuntu, Fedora, RHEL)
Ubuntu

## How reproducible:

Steps to Reproduce:

 * one certtool --verify --load-ca-certificate RootCA.pem --infile Cert17408142963.pem [Cert17408142963.pem](/uploads/7163941bc5e98a343961839ab277cd27/Cert17408142963.pem)[RootCA.pem](/uploads/2eef74ceb38fe45241449d368ea4fe4a/RootCA.pem)


## Actual results:

```
Loaded CAs (1 available)
Setting log level to 10
	Subject: CN=www.mycompany1.com,OU=My Unit1,O=My Company1,L=MY Locality1,ST=My ST1,C=UN
	Issuer: CN=www.mycompany.com,OU=My Unit1,O=My Company1,L=MY Locality1,ST=My ST1,C=UN
	Checked against: CN=www.mycompany.com,OU=My Unit1,O=My Company1,L=MY Locality1,ST=My ST1,C=UN
	Signature algorithm: RSA-SHA256
	Output: Verified. The certificate is trusted. 
Chain verification output: Verified. The certificate is trusted. 
```

## Expected results:
Consistent verification results among GnuTLS and other TLS implementations.
OpenSSL:error 34 at 0 depth lookup: unhandled critical extension
WolfSSL:wolfSSL_CertManagerVerify failed with return code -160 and error message X.509 Critical extension ignored or invalid

-- 
Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1672
You're receiving this email because of your account on gitlab.com.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnutls-devel/attachments/20250303/d7cdcb19/attachment.html>


More information about the Gnutls-devel mailing list