Bug#607616: libgnutls26: the GnuTLS searches CA certs by subject and stops on first? (fails on more CA with the same subj)

[Václav Ovsík]

Hello,

On Tue, Jan 25, 2011 at 10:57:37PM +0100, Nikos Mavrogiannopoulos wrote:
> On 01/20/2011 05:58 PM, Václav Ovsík wrote:
> > On Thu, Jan 20, 2011 at 05:22:12PM +0100, Nikos Mavrogiannopoulos wrote:
> >> Hello,
> >> Indeed I'm mistaken.
> >>
> >>> The reported problem is about order of certificates with the same
> >>> subject DN in the repository during verifying certificate. I have server
> >>> certificates issued by older and newer CA certificate both valid of
> >>> course. GnuTLS must find the right certificate of CA from two or even
> >>> more with the same subject DN.
> >>> I tried to examine in the bug-report, that based on the order of two CA
> >>> certificates with the same subject DN IN THE REPOSITORY the GnuTLS fails
> >>> on newer or older server certificate. There was no change on server
> >>> sides or so. I changed CA cert order only on the client side repository.
> >>
> >> Yes gnutls does stop on first match no matter if expired of not... Is
> >> there merit in supporting lists that contain duplicates of certificates?
> > Changing subject DN on certificate renewals is maybe good practice, but
> > AFAIK not required. Administrators of our company CA (Microsoft CA)
> > simply did not change it. Their choice, OK.
> 
> No don't take my point as being that changing the DN is recommended. I
> am not suggesting that. What I suggest is that the old certificate can
> be removed from the list once the renewed one is added.

I mention this, because it could work-around the problem and I met this
recommendation it the past (for example to append the year to CA subject
DN).

Renewed certificate of CA can't be removed immediately of course. A new
CA certificate must be issued at least in the
End_Of_Life(CA) - The_Longest_Life_Duration_CA_issued_Cert.
For example you have CA with Not After 2012-01-01 and you are issuing certs
with one year validity - the date you can issue the last cert with this
CA is 2011-01-01. This CA must issue CRL till its end in 2012-01-01. You
need a new CA for certs after 2011-01-01. You have two CA certs valid between
2011-01-01 - 2012-01-01 both must issue CRL, only newer is issuing
certs.

I solved my problem with LDAPS servers simply by pointing only to Root
CA (not whole CA bundle). The LDAPS server gives the certificate chain
with the right intermediate CA, so things works now on every server :).


> > OpenSSL handles this smoothly and I think it is bug otherwise.
> > When OpenSSL's c_rehash is called on directory of X.509 certificates, it
> > numbers hashes with aabbccdd.n, where n is for resolution of the same
> > Subjects. So when I look into my repository:
> 
> I note it as an issue to the gnutls verification functionality, and I'll
> fix it together with some other issues, by adding a more advanced
> verification subsystem.

Great! I think it will be worth either in my special case exists
a work-around.
Best Regards
-- 
Zito