[gnutls-devel] GnuTLS | gnutls certificate with duplicates in the chain is rejected (#1741)

Read-only notification of GnuTLS library development activities gnutls-devel at lists.gnutls.org
Thu Sep 25 21:20:54 CEST 2025 


Sergey Koposov created an issue: https://gitlab.com/gnutls/gnutls/-/issues/1741



Hi,

## Description of problem: 

The certificate with duplicates in the chain is rejected by gnutls (but is accepted by openssl and other libraries).

The issue arose when evolution email client started to complain about 'unacceptable tls certificate' when trying to authenticate for my email.

This lead me to investigate and run:

```
$ gnutls-cli edadfed.ed.ac.uk
Processed 146 CA certificate(s).
Resolving 'edadfed.ed.ac.uk:443'...
Connecting to '129.215.67.169:443'...
- Certificate type: X.509
- Got a certificate list of 23 certificates.
- Certificate[0] info:
 - subject `CN=edadfed.ed.ac.uk,O=The University of Edinburgh,L=Edinburgh,C=GB', issuer `CN=DigiCert Global G2 TLS RSA SHA256 2020 CA1,O=DigiCert Inc,C=US', serial 0x0d296cf890eebdccb272d452d54ff742, RSA key 2048 bits, signed using RSA-SHA256, activated `2025-08-20 00:00:00 UTC', expires `2026-08-19 23:59:59 UTC', pin-sha256="t6K+8+rkiqVzq9PrgQhq3zleQFNGA2zGshvNCwRcYI4="
	Public Key ID:
		sha1:bc67d663290cece53fccc2da4a8339c81140be98
		sha256:b7a2bef3eae48aa573abd3eb81086adf395e405346036cc6b21bcd0b045c608e
	Public Key PIN:
		pin-sha256:t6K+8+rkiqVzq9PrgQhq3zleQFNGA2zGshvNCwRcYI4=

- Certificate[1] info:
 - subject `CN=DigiCert Global G2 TLS RSA SHA256 2020 CA1,O=DigiCert Inc,C=US', issuer `CN=DigiCert Global Root G2,OU=www.digicert.com,O=DigiCert Inc,C=US', serial 0x0cf5bd062b5602f47ab8502c23ccf066, RSA key 2048 bits, signed using RSA-SHA256, activated `2021-03-30 00:00:00 UTC', expires `2031-03-29 23:59:59 UTC', pin-sha256="Wec45nQiFwKvHtuHxSAMGkt19k+uPSw9JlEkxhvYPHk="
....
- Certificate[21] info:
 - subject `CN=DigiCert Global G2 TLS RSA SHA256 2020 CA1,O=DigiCert Inc,C=US', issuer `CN=DigiCert Global Root G2,OU=www.digicert.com,O=DigiCert Inc,C=US', serial 0x0cf5bd062b5602f47ab8502c23ccf066, RSA key 2048 bits, signed using RSA-SHA256, activated `2021-03-30 00:00:00 UTC', expires `2031-03-29 23:59:59 UTC', pin-sha256="Wec45nQiFwKvHtuHxSAMGkt19k+uPSw9JlEkxhvYPHk="
- Certificate[22] info:
 - subject `CN=DigiCert Global Root G2,OU=www.digicert.com,O=DigiCert Inc,C=US', issuer `CN=DigiCert Global Root G2,OU=www.digicert.com,O=DigiCert Inc,C=US', serial 0x033af1e6a711a9a0bb2864b11d09fae5, RSA key 2048 bits, signed using RSA-SHA256, activated `2013-08-01 12:00:00 UTC', expires `2038-01-15 12:00:00 UTC', pin-sha256="i7WTqTvh0OioIruIfFR4kMPnBqrS2rdiVPl/s2uC/CY="
- Could not verify certificate (err: Some constraint limits were reached.)
*** PKI verification of server certificate failed...
*** Fatal error: Error in the certificate.
      
```

It is my understanding the problem is that the same two certificates are repeated 11 times in the chain. It is clearly the problem on the server side, but openssl does not seem to have issues with it (and other clients either). 

I have seen issue #1335 which seemed to me like it should have fixed the issue with certificate marked invalid if there are duplicates in the chain in 3.8.x branch, but it does not seem to be the case. 

I am not really an ssl expert if it is really a bug on the gnutls side or it is just strict, but from a user standpoint it would be nice not to reject this certificate.

Also if I do --save-cert and certtool --verify it does not complain.

## Version of gnutls used: 3.8.3

## Distributor of gnutls (e.g., Ubuntu, Fedora, RHEL): Ubuntu

## How reproducible:

Steps to Reproduce:

* $ gnutls-cli edadfed.ed.ac.uk

## Actual results:

- Could not verify certificate (err: Some constraint limits were reached.) \*\*\* PKI verification of server certificate failed... \*\*\* Fatal error: Error in the certificate.

## Expected results:

The certificate should be accepted 

Thank you

-- 
Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1741
You're receiving this email because of your account on gitlab.com.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnutls-devel/attachments/20250925/fc682cba/attachment-0001.html>

More information about the Gnutls-devel mailing list