Security implications of (not using) GNUTLS_VERIFY_DO_NOT_ALLOW_SAME

Lars Noschinski lars at public.noschinski.de
Mon Jun 21 14:58:21 CEST 2010


* Nikos Mavrogiannopoulos <nmav at gnutls.org> [10-06-21 13:46]:
> On Mon, Jun 21, 2010 at 1:45 PM, Nikos Mavrogiannopoulos
> <nmav at gnutls.org> wrote:
> 
> >> Ok. But in this case, the behaviour I observed seems to be indeed a bug
> >> in gnutls, as my certificate list did not contain the server's
> >> certificate, but only the CA certificates.
> > Then please send me something I can reproduce (such as the smallest
> > possible list that I can use to verify the problem and how I can
> > verify it).

For the certificate list, see

    http://avalon.hoffentlich.net/~cebewee/debug/gnutls/cacert.crt

(containing the CAcert.org root certificates).

Now,

    $ gnutls-cli jabberd.jabber.ccc.de --x509cafile cacert.crt

trusts the server certificate [0]. Now apply the patch [1] to cli.c
and run the patched binary. Now

    $ gnutls-cli.patched jabberd.jabber.ccc.de --x509cafile cacert.crt

fails to establish a trusted chain [2].

> And of course the version of gnutls you are using. If you are not
> using 1.8.x please reproduce with it.

You mean 2.8.x, correct? Reproduced using libgnutls26, 2.8.6-1 package
from debian (the package does not contain code patches, only the patches
in the debian/patches subdirectory of

    http://ftp.de.debian.org/debian/pool/main/g/gnutls26/gnutls26_2.8.6-1.debian.tar.gz

).


  -- Lars.

[0] http://avalon.hoffentlich.net/~cebewee/debug/gnutls/gnutls-ok.log
[1] http://avalon.hoffentlich.net/~cebewee/debug/gnutls/gnutls-cli.patch
[2] http://avalon.hoffentlich.net/~cebewee/debug/gnutls/gnutls-fail.log




More information about the Gnutls-help mailing list