GNU bug report logs - #31946
27.0.50; The NSM should warn about more TLS problems

Previous Next

Full log

Message #98 received at 31946 <at> debbugs.gnu.org (full text, mbox):

From: Lars Ingebrigtsen <larsi <at> gnus.org>
To: Noam Postavsky <npostavs <at> gmail.com>
Cc: 31946 <at> debbugs.gnu.org
Subject: Re: bug#31946: 27.0.50; The NSM should warn about more TLS problems
Date: Sun, 08 Jul 2018 16:21:57 +0200

Noam Postavsky <npostavs <at> gmail.com> writes:

> But in Emacs, I'm getting this from gnutls_x509_crt_get_issuer_dn():
>
> "C=US,O=VeriSign\\, Inc.,OU=Class 3 Public Primary Certification Authority"
>
> and this from  gnutls_x509_crt_get_dn():
>
> "C=US,O=VeriSign\\, Inc.,OU=VeriSign Trust Network,OU=(c) 2006
> VeriSign\\, Inc. - For authorized use only,CN=VeriSign Class 3 Public
> Primary Certification Authority - G5"

Ah, I see...

> So gnutls is getting this non-matching issuer from somewhere, but it's
> unclear to me where.

Hm...

Oh!  I see that gnutls has gotten several variations on these functions
now.  For instance:

https://www.gnutls.org/reference/gnutls-x509.html#gnutls-x509-crt-get-issuer-dn3

It says:

"When the flag GNUTLS_X509_DN_FLAG_COMPAT is specified, the output
format will match the format output by previous to 3.5.6 versions of
GnuTLS which was not not fully RFC4514-compliant."

Which I would interpret to mean that the dn3 version of these functions
now return the RFC4515-compliant strings.  Perhaps we should call these
newer functions instead of the _dn functions?  I guess more #ifdefs and
configure checks will be needed...

-- 
(domestic pets only, the antidote for overdose, milk.)
   bloggy blog: http://lars.ingebrigtsen.no

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.