GNU bug report logs - #31946
27.0.50; The NSM should warn about more TLS problems

Previous Next

Full log

Message #122 received at 31946 <at> debbugs.gnu.org (full text, mbox):

From: Lars Ingebrigtsen <larsi <at> gnus.org>
To: Noam Postavsky <npostavs <at> gmail.com>
Cc: 31946 <at> debbugs.gnu.org
Subject: Re: bug#31946: 27.0.50; The NSM should warn about more TLS problems
Date: Sun, 08 Jul 2018 22:01:00 +0200

Noam Postavsky <npostavs <at> gmail.com> writes:

> Yeah, the _dn3 data still misses the CN=... from the issuer and is not
> equal the the subject for the root, so it doesn't seem to help this
> problem.

I tried using gnutls-cli, and it saus:

- Certificate[2] info:
 - subject `CN=VeriSign Class 3 Public Primary Certification Authority - G5,OU=(c) 2006 VeriSign\, Inc. - For authorized use only,OU=VeriSign Trust Network,O=VeriSign\, Inc.,C=US', issuer `OU=Class 3 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US', serial 0x250ce8e030612e9f2b89f7054d7cf8fd, RSA key 2048 bits, signed using RSA-SHA1, activated `2006-11-08 00:00:00 UTC', expires `2021-11-07 23:59:59 UTC', key-ID `sha256:25b41b506e4930952823a6eb9f1d31def645ea38a5c6c6a96d71957e384df058'

So, no CN= in the issuer there, either...

And here's openssl s_client:

 2 s:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5
   i:/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority

So there just isn't any CN= in the issuer here?

So we need a new way to determine whether a certificate is an
intermediate certificate.  Unless that really is an intermediate
certificate and the warning is correct.  :-)

-- 
(domestic pets only, the antidote for overdose, milk.)
   bloggy blog: http://lars.ingebrigtsen.no

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.