On Tue, 2015-06-30 at 15:16 +0200, Andreas Freimuth wrote: > Hi all, > > I have a problem with the gnutls validating a certificate path. Can > someone tell me if it is a mistake in the Certs, or a bug in GnuTLS? > > Relevent parts of the Certs: > == server.crt == > Subject: C=US, O=Foo Bar Inc., CN=bazz.foobar.com > X509v3 Subject Alternative Name: > DNS:update.foobar.com, DNS:mx.foobar.email > == CA == > X509v3 Name Constraints: > Permitted: > DNS:foobar.com > DNS:foobar.email > DirName: C = US, O = Foo Bar Inc. > Excluded: > DNS:www.foobar.com > DNS:www.foobar.email > IP:0.0.0.0/0.0.0.0 > IP:0:0:0:0:0:0:0:0/0:0:0:0:0:0:0:0
That looks like a bug in gnutls. The reason it is rejected is because you have an IP address constraint which is not checked by gnutls. That shouldn't have been rejected though because there is no IP address set in the server certificate. Anyway the simple fix is to remove the IP constraint which is allow everything anyway. regards, Nikos _______________________________________________ Gnutls-help mailing list [email protected] http://lists.gnupg.org/mailman/listinfo/gnutls-help
