[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Big CA certificate bundle causes problems with GnuTLS 3.0.11
From: |
Nikos Mavrogiannopoulos |
Subject: |
Re: Big CA certificate bundle causes problems with GnuTLS 3.0.11 |
Date: |
Tue, 29 May 2012 23:24:47 +0200 |
User-agent: |
Mozilla/5.0 (X11; Linux x86_64; rv:10.0.4) Gecko/20120510 Icedove/10.0.4 |
On 05/29/2012 11:17 PM, Janne Snabb wrote:
> On 2012-05-30 03:37, Michal Suchanek wrote:
>> Now what I do not get is how a pile of CA certificates is fragmenting
>> the packets.
>>
>> Sounds like a security hole. CA cert piles should be local to either
>> side, only one CA cert relevant for the session. Technically there can
>> be more than one cert in the trust chain but not pile of them.
>
> If the *server* chooses to trust a pile of CA's in the same way as web
> browsers (clients) typically do, this will happen, see:
>
> https://tools.ietf.org/html/rfc5246#section-7.4.4
>
> It also says:
>
> "If the certificate_authorities list is empty, then the client MAY send
> any certificate of the appropriate ClientCertificateType, unless there
> is some external arrangement to the contrary."
>
> ...which suggests that in cases like this it might be a good idea or at
> least acceptable *not* to put anything in the certificate_authorities
> list when the server sends the Certificate Request. It is unclear how
> various client side implementations implement the "MAY" part of the
> above RFC quote. Do they send a client certificate if the CA list is
> empty? Which one will they send if they have several?
Most send any certificate selected by the user.
> It feels like there should be a way in the GnuTLS API to define whether
> the list of trusted CAs is to be advertised in Certificate Request or
> not. (Maybe there is a way but I am missing it?)
There is. Check client certificate authentication at:
http://www.gnu.org/software/gnutls/manual/html_node/Certificate-credentials.html#Certificate-credentials
regards,
Nikos
Re: Big CA certificate bundle causes problems with GnuTLS 3.0.11, Nikos Mavrogiannopoulos, 2012/05/29