[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
gnutls fails to use Verisign CA cert without a Basic Constraint
From: |
Douglas E. Engert |
Subject: |
gnutls fails to use Verisign CA cert without a Basic Constraint |
Date: |
Wed, 07 Jan 2009 18:14:57 -0600 |
User-agent: |
Thunderbird 2.0.0.19 (Windows/20081209) |
This is also being submitted to https://bugs.launchpad.net/bugs
Using the Ubuntu version of libgnutls13_2.0.4-1ubuntu2.3 on Hardy 8.04.1,
ldaps: has stopped working. This looks like it is related to
the December changes that are also in gnutls-2.6.3. See attached
patch that should work in both.
ldapsearch -d 1 -H ldaps://...
TLS: peer cert untrusted or revoked (0x82)
ldap_err2string
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
The OpenLDAP ldap server certificate issued by Verisign is signed by:
Verisign_Intermediate-Secure_Site_Managed_PKI_for_SSL_Standard_Certificates.pem
which is signed by:
Verisign_Class_3_Public_Primary_Certification_Authority.pem
Both of these are in /etc/ssl/certs as 7651b327.0 and f0a38a80.0
Verisign_Class_3_Public_Primary_Certification_Authority.pem
is a self signed version 1 cert issued in 1996, with no extensions.
In lib/x509/verify.c gnutls_x509_crt_get_ca_status is called
but returns GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE as there is no
Basic Constraint.
The attached patch (to gnutls13_2.0.4-1ubuntu2.3) checks for
this return and if it is a self signed cert, will treat it as a CA.
The patch looks like it can be applied to 2.6.3 as well.
Clients on Solaris 9 and 10, and OpenLDAP using OpenSSL on any
platform have no problems with this old cert.
--
Douglas E. Engert <address@hidden>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444
--- ,verify.c 2009-01-06 14:02:41.000000000 -0600
+++ verify.c 2009-01-07 17:07:27.000000000 -0600
@@ -130,11 +130,20 @@
}
}
- if (gnutls_x509_crt_get_ca_status (issuer, NULL) == 1)
+ result = gnutls_x509_crt_get_ca_status (issuer, NULL);
+ if (result == 1)
{
result = 1;
goto cleanup;
}
+ /* Old self signed CA certs may not have basic constrant */
+ else if ((result == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) &&
+ (gnutls_x509_crt_check_issuer(issuer, issuer) == 1))
+ {
+ gnutls_assert ();
+ result = 1;
+ goto cleanup;
+ }
else
gnutls_assert ();
- gnutls fails to use Verisign CA cert without a Basic Constraint,
Douglas E. Engert <=
- Re: gnutls fails to use Verisign CA cert without a Basic Constraint, Simon Josefsson, 2009/01/08
- Re: gnutls fails to use Verisign CA cert without a Basic Constraint, Douglas E. Engert, 2009/01/08
- Re: gnutls fails to use Verisign CA cert without a Basic Constraint, Simon Josefsson, 2009/01/09
- Re: gnutls fails to use Verisign CA cert without a Basic Constraint, Simon Josefsson, 2009/01/09
- Re: gnutls fails to use Verisign CA cert without a Basic Constraint, Tomas Mraz, 2009/01/09
- Re: gnutls fails to use Verisign CA cert without a Basic Constraint, Simon Josefsson, 2009/01/09
- Re: gnutls fails to use Verisign CA cert without a Basic Constraint, Tomas Mraz, 2009/01/09
- Re: gnutls fails to use Verisign CA cert without a Basic Constraint, Douglas E. Engert, 2009/01/09
- Re: gnutls fails to use Verisign CA cert without a Basic Constraint, Simon Josefsson, 2009/01/09
- Re: gnutls fails to use Verisign CA cert without a Basic Constraint, Daniel Kahn Gillmor, 2009/01/09