gnutls fails to use Verisign CA cert without a Basic Constraint

gnutls-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

gnutls fails to use Verisign CA cert without a Basic Constraint

From:	Douglas E. Engert
Subject:	gnutls fails to use Verisign CA cert without a Basic Constraint
Date:	Wed, 07 Jan 2009 18:14:57 -0600
User-agent:	Thunderbird 2.0.0.19 (Windows/20081209)

This is also being submitted to https://bugs.launchpad.net/bugs

Using the Ubuntu version of libgnutls13_2.0.4-1ubuntu2.3 on Hardy 8.04.1,
ldaps: has stopped working. This looks like it is related to
the December changes that are also in gnutls-2.6.3. See attached
patch that should work in both.

ldapsearch -d 1  -H ldaps://...

TLS: peer cert untrusted or revoked (0x82)
ldap_err2string
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)


The OpenLDAP ldap server certificate issued by Verisign is signed by:

Verisign_Intermediate-Secure_Site_Managed_PKI_for_SSL_Standard_Certificates.pem

which is signed by:
Verisign_Class_3_Public_Primary_Certification_Authority.pem

Both of these are in /etc/ssl/certs as 7651b327.0 and f0a38a80.0

Verisign_Class_3_Public_Primary_Certification_Authority.pem
is a self signed version 1 cert issued in 1996, with no extensions.

In lib/x509/verify.c  gnutls_x509_crt_get_ca_status is called
but returns GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE as there is no
Basic Constraint.

The attached patch (to gnutls13_2.0.4-1ubuntu2.3) checks for
this return and if it is a self signed cert, will treat it as a CA.
The patch looks like it can be applied to 2.6.3 as well.

Clients on Solaris 9 and 10, and OpenLDAP using OpenSSL on any
platform have no problems with this old cert.




--

 Douglas E. Engert  <address@hidden>
 Argonne National Laboratory
 9700 South Cass Avenue
 Argonne, Illinois  60439
 (630) 252-5444

--- ,verify.c   2009-01-06 14:02:41.000000000 -0600
+++ verify.c    2009-01-07 17:07:27.000000000 -0600
@@ -130,11 +130,20 @@
          }
       }
 
-  if (gnutls_x509_crt_get_ca_status (issuer, NULL) == 1)
+  result = gnutls_x509_crt_get_ca_status (issuer, NULL);
+  if (result == 1)
     {
       result = 1;
       goto cleanup;
     }
+     /* Old self signed CA certs may not have basic constrant */
+  else if ((result == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) &&
+           (gnutls_x509_crt_check_issuer(issuer, issuer) == 1))
+    {
+      gnutls_assert ();
+      result = 1;
+      goto cleanup;
+    }
   else
     gnutls_assert ();

[Prev in Thread]

Current Thread

[Next in Thread]

gnutls fails to use Verisign CA cert without a Basic Constraint, Douglas E. Engert <=
- Re: gnutls fails to use Verisign CA cert without a Basic Constraint, Simon Josefsson, 2009/01/08
  - Re: gnutls fails to use Verisign CA cert without a Basic Constraint, Douglas E. Engert, 2009/01/08
    - Re: gnutls fails to use Verisign CA cert without a Basic Constraint, Simon Josefsson, 2009/01/09
    - Re: gnutls fails to use Verisign CA cert without a Basic Constraint, Simon Josefsson, 2009/01/09
    - Re: gnutls fails to use Verisign CA cert without a Basic Constraint, Tomas Mraz, 2009/01/09
    - Re: gnutls fails to use Verisign CA cert without a Basic Constraint, Simon Josefsson, 2009/01/09
    - Re: gnutls fails to use Verisign CA cert without a Basic Constraint, Tomas Mraz, 2009/01/09
    - Re: gnutls fails to use Verisign CA cert without a Basic Constraint, Douglas E. Engert, 2009/01/09
    - Re: gnutls fails to use Verisign CA cert without a Basic Constraint, Simon Josefsson, 2009/01/09
    - Re: gnutls fails to use Verisign CA cert without a Basic Constraint, Daniel Kahn Gillmor, 2009/01/09

Prev by Date: GnuTLS 2.7.4
Next by Date: Re: gnutls fails to use Verisign CA cert without a Basic Constraint
Previous by thread: GnuTLS 2.7.4
Next by thread: Re: gnutls fails to use Verisign CA cert without a Basic Constraint
Index(es):
- Date
- Thread