On Tue, 2017-05-09 at 14:04 +0100, Daniel P. Berrange wrote: > On Tue, May 09, 2017 at 02:48:08PM +0200, Nikos Mavrogiannopoulos > wrote: > > Hi, > > gnutls 3.5.x is more strict in certificate decoding and performs > > various checks in the Time fields to ensure they are properly DER > > formatted. However, it is seems that this caused regressions with > > certain certificates generated by ovirt as seen in [0]. I am not > > sure > > which software was used to generate the problematic ones, however, > > it > > is most likely openssl, or some other open source software. Are you > > aware of other or similar decoding issues which were a result of > > 3.5.x > > being more strict in DER rules? > > > > The options we have are: > > 1. Ignore the error and insist on DER correctness in input > > certificates. > > 2. Allow incorrect formatted time fields in certificates > > unconditionally, e.g., with a special libtasn1 flag: > > https://gitlab.com/gnutls/libtasn1/commit/16bad0c72dcdfbe5512cdd6b4 > > 6b251ab7484e5dc > > > > any other option I've missed? While I favor the first for its > > simplicity, reality has shown over the years we must yield towards > > the > > 'work' part. > > Have you succeeded in getting any contact with oVirt community to > find > out how they are generating their certs ? That might give some > clarity > on whether it is just a minor bug in their code, vs following common/ > wide practice. It isn't clear if it even affects all oVirt users or > just some subset of them, vs likely to affect large numbers of non- > oVirt users too
Seems like a good point. I wouldn't know where to ask. Any suggestions? regards, Nikos _______________________________________________ Gnutls-help mailing list [email protected] http://lists.gnupg.org/mailman/listinfo/gnutls-help
