Re: gnutls fails to use Verisign CA cert without a Basic Constraint

[Douglas E. Engert]

Simon Josefsson wrote:
> "Douglas E. Engert" <address@hidden> writes:
>
> > Simon Josefsson wrote:
> >
> > > The default is to reject V1 CA's, so the application need to supply
> > > either flag if they want a particular behaviour.
> > >
> > > By default, gnutls_x509_crt_list_verify rejects V1 CAs, but it takes a
> > > flags parameter.  If you call the verification through
> > > gnutls_session_verify_peers, you can use the
> > > gnutls_certificate_set_verify_flags function to set the flags to use
> > > (like cli.c does).
> > That will be a problem, as the application is ldap used by nss-ldap.
> > I have not looked at how they call gnutls, but we don't want to have to
> > changes these too.
> >
> > One could argue the application already provides the list of CA certs
> > it is willing to trust, so why does it need to provide an additional flag?
>
> I believe it would break ABI/API compatibility to change this now --
> applications assume that V1 CA are rejected since that has been the
> documented behaviour for several years.
>
> It seems like a bug in the ldap/nss-ldap code that it doesn't pass the
> V1 flag if it really wants GnuTLS to permit V1 CA's.

Its not the application that wants it. As far as I can tell previous versions
of ldap using OpenLDAP do not have the problem, and only after Ubuntu
back ported the December fixes did this problem start occuring.

I understand that you don't want to change your code.

> Nikos, what do you think?  You wrote the code here, and introduced the
> work-around flags to deal with V1 certs.

Also, as Daniel Kahn Gillmor pointed out, to clear the bit
needs this change:

   > -       flags ^= GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT;
   > +       flags &= ~GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT;

But this would not solve the problem either.


> For things that aren't documented, I think we can be pragmatic and come
> up with quick fixes and apply them to the v2.6.x branch as needed.  But
> anything that changes documented and intended behaviour is not
> appropriate for our stable branch IMHO.
>
> > If the code change on you TODO list to stop when an intermediate CA cert
> > is found on the trusted CA list, then this would solve my problem,
> > as the intermediate cert is V3 and has CA:TRUE, and is trusted.
>
> Yup.  Fixing that would be neat, and could go onto the v2.7.x branch
> which we could release as the next stable branch relatively quickly.

Actually I wrote a mod on this Friday, to do this. I need to clean it
up today and send it in for your review.

The CA in question is a Verisign cert used to sign an intermediate cert:
http://www.verisign.com/support/verisign-intermediate-ca/secure-site-intermediate/index.html
So trusting this intermediate V3 cert would work for us.

> /Simon

--

 Douglas E. Engert  <address@hidden>
 Argonne National Laboratory
 9700 South Cass Avenue
 Argonne, Illinois  60439
 (630) 252-5444