GNU bug report logs -
#19098
24.4.51; gnutls.c doesn't handle wildcard certificates
Previous Next
Reported by: Lars Magne Ingebrigtsen <larsi <at> gnus.org>
Date: Tue, 18 Nov 2014 18:03:02 UTC
Severity: normal
Tags: notabug
Found in version 24.4.51
Done: Lars Magne Ingebrigtsen <larsi <at> gnus.org>
Bug is archived. No further changes may be made.
Full log
Message #8 received at 19098 <at> debbugs.gnu.org (full text, mbox):
On Tue, 18 Nov 2014 19:01:33 +0100 Lars Magne Ingebrigtsen <larsi <at> gnus.org> wrote:
LMI> The new NSM code uncovered this problem:
LMI> --------
LMI> Certificate issued by GeoTrust SSL CA - G3
LMI> Issued to Tumblr, Inc.
LMI> Certificate host name: *.media.tumblr.com
LMI> Public key: RSA, signature: RSA-SHA256, security level: Low
LMI> Valid from: 2014-09-30, valid to: 2016-04-08
LMI> The TLS connection to 33.media.tumblr.com:443 is insecure
LMI> for the following reason:
LMI> certificate could not be verified
LMI> --------
LMI> So the host checking code in, I think, gnutls-negotiate should be
LMI> extended to understand things like "*.media.tumblr.com".
For the hostname check, we use gnutls_x509_crt_check_hostname() which,
according to the docs, will handle wildcards. But that's not the source
of this error :)
The error you cite comes from gnutls.c:
#+begin_src c
ret = fn_gnutls_certificate_verify_peers2 (state, &peer_verification);
#+end_src
and is caused by the GNUTLS_CERT_INVALID flag. But I don't see a hint
anywhere that it does not work with wildcard certs (you have to
explicitly disable them, so the assumption is that they work by
default). Also, if you set `gnutls-verify-error' to t, do you get the
corresponding error in the non-NSM flow? "$HOSTNAME certificate could
not be verified."
Finally, can you verify the cert with gnutls-cli? If it's valid, I'll
ask on the GnuTLS mailing list because I'm probably missing something.
For me it fails:
#+begin_src text
% gnutls-cli 33.media.tumblr.com [nsm]
Resolving '33.media.tumblr.com'...
Connecting to '209.197.3.20:443'...
- Certificate type: X.509
- Got a certificate list of 4 certificates.
- Certificate[0] info:
- subject `C=US,ST=New York,L=New York,O=Tumblr\, Inc.,CN=*.media.tumblr.com', issuer `C=US,O=GeoTrust Inc.,CN=GeoTrust SSL CA - G3', RSA key 2048 bits, signed using RSA-SHA256, activated `2014-09-30 00:00:00 UTC', expires `2016-04-08 23:59:59 UTC', SHA-1 fingerprint `099be258615288fba254ee2cf428422be6c8f3ca'
- Certificate[1] info:
- subject `C=US,O=GeoTrust Inc.,CN=GeoTrust SSL CA - G3', issuer `C=US,O=GeoTrust Inc.,CN=GeoTrust Global CA', RSA key 2048 bits, signed using RSA-SHA256, activated `2013-11-05 21:36:50 UTC', expires `2022-05-20 21:36:50 UTC', SHA-1 fingerprint `5aeaee3f7f2a9449cebafeec68fdd184f20124a7'
- Certificate[2] info:
- subject `C=US,O=GeoTrust Inc.,CN=GeoTrust SSL CA - G3', issuer `C=US,O=GeoTrust Inc.,CN=GeoTrust Global CA', RSA key 2048 bits, signed using RSA-SHA256, activated `2013-11-05 21:36:50 UTC', expires `2022-05-20 21:36:50 UTC', SHA-1 fingerprint `5aeaee3f7f2a9449cebafeec68fdd184f20124a7'
- Certificate[3] info:
- subject `C=US,O=GeoTrust Inc.,CN=GeoTrust Global CA', issuer `C=US,O=GeoTrust Inc.,CN=GeoTrust Global CA', RSA key 2048 bits, signed using RSA-SHA1, activated `2002-05-21 04:00:00 UTC', expires `2022-05-21 04:00:00 UTC', SHA-1 fingerprint `de28f4a4ffe5b92fa3c503d1a349a7f9962a8212'
- The hostname in the certificate matches '33.media.tumblr.com'.
- Peer's certificate issuer is unknown
- Peer's certificate is NOT trusted
- Version: TLS1.2
- Key Exchange: RSA
- Cipher: ARCFOUR-128
- MAC: SHA1
- Compression: NULL
- Handshake was completed
#+end_src
Ted
This bug report was last modified 10 years and 208 days ago.
Previous Next
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.