Bug#607616: libgnutls26: the GnuTLS searches CA certs by subject and stops on first? (fails on more CA with the same subj)

Nikos Mavrogiannopoulos nmav at gnutls.org
Tue Jan 25 21:57:37 UTC 2011


On 01/20/2011 05:58 PM, Václav Ovsík wrote:
> On Thu, Jan 20, 2011 at 05:22:12PM +0100, Nikos Mavrogiannopoulos wrote:
>> Hello,
>> Indeed I'm mistaken.
>>
>>> The reported problem is about order of certificates with the same
>>> subject DN in the repository during verifying certificate. I have server
>>> certificates issued by older and newer CA certificate both valid of
>>> course. GnuTLS must find the right certificate of CA from two or even
>>> more with the same subject DN.
>>> I tried to examine in the bug-report, that based on the order of two CA
>>> certificates with the same subject DN IN THE REPOSITORY the GnuTLS fails
>>> on newer or older server certificate. There was no change on server
>>> sides or so. I changed CA cert order only on the client side repository.
>>
>> Yes gnutls does stop on first match no matter if expired of not... Is
>> there merit in supporting lists that contain duplicates of certificates?
> Changing subject DN on certificate renewals is maybe good practice, but
> AFAIK not required. Administrators of our company CA (Microsoft CA)
> simply did not change it. Their choice, OK.

No don't take my point as being that changing the DN is recommended. I
am not suggesting that. What I suggest is that the old certificate can
be removed from the list once the renewed one is added.

> OpenSSL handles this smoothly and I think it is bug otherwise.
> When OpenSSL's c_rehash is called on directory of X.509 certificates, it
> numbers hashes with aabbccdd.n, where n is for resolution of the same
> Subjects. So when I look into my repository:

I note it as an issue to the gnutls verification functionality, and I'll
fix it together with some other issues, by adding a more advanced
verification subsystem.

regards,
Nikos





More information about the Pkg-gnutls-maint mailing list