On Tue, May 9, 2017 at 8:47 PM, Kurt Roeckx <[email protected]> wrote: > On Tue, May 09, 2017 at 02:48:08PM +0200, Nikos Mavrogiannopoulos wrote: >> Hi, >> gnutls 3.5.x is more strict in certificate decoding and performs >> various checks in the Time fields to ensure they are properly DER >> formatted. However, it is seems that this caused regressions with >> certain certificates generated by ovirt as seen in [0]. I am not sure >> which software was used to generate the problematic ones, however, it >> is most likely openssl, or some other open source software. Are you >> aware of other or similar decoding issues which were a result of 3.5.x >> being more strict in DER rules? >> >> The options we have are: >> 1. Ignore the error and insist on DER correctness in input certificates. >> 2. Allow incorrect formatted time fields in certificates >> unconditionally, e.g., with a special libtasn1 flag: >> https://gitlab.com/gnutls/libtasn1/commit/16bad0c72dcdfbe5512cdd6b46b251ab7484e5dc >> >> any other option I've missed? While I favor the first for its >> simplicity, reality has shown over the years we must yield towards the >> 'work' part. > > NSS is strict in what it accepts. We've recently changed openssl to be > more strict too (commit 80770da39ebba0101079477611b7ce2f426653c5, > https://github.com/openssl/openssl/issues/2620), but maybe not > strict enough yet.
Thank you, that is really helpful. It seems that Kurt has found out the culprit. There seem to be a user input validation issue in openssl when generating certs: https://gitlab.com/gnutls/gnutls/issues/196#note_29192381 regards, Nikos _______________________________________________ Gnutls-help mailing list [email protected] http://lists.gnupg.org/mailman/listinfo/gnutls-help
