[prev in list] [next in list] [prev in thread] [next in thread] 

List:       gnutls-dev
Subject:    Re: [gnutls-devel] turkish CA certificate
From:       Peter Williams <home_pw () msn ! com>
Date:       2014-06-06 16:14:39
Message-ID: SNT404-EAS412172AA82C27F65FB46D36922C0 () phx ! gbl
[Download RAW message or body]

[Attachment #2 (multipart/alternative)]


More likely its a signature for traffic isolation.

Sent from my Windows Phone
________________________________
From: Kurt Roeckx<mailto:kurt@roeckx.be>
Sent: ‎6/‎6/‎2014 9:12 AM
To: Ludwig Nussel<mailto:ludwig.nussel@suse.de>
Cc: gnutls-devel@lists.gnutls.org<mailto:gnutls-devel@lists.gnutls.org>
Subject: Re: [gnutls-devel] turkish CA certificate

On Fri, Jun 06, 2014 at 03:59:51PM +0200, Ludwig Nussel wrote:
> Nikos Mavrogiannopoulos wrote:
> >On Fri, Jun 6, 2014 at 8:53 AM, Dmitriy Anisimkov <anisimkov@ada-ru.org> wrote:
> >>I got this certificate from OpenSUSE repository
> >>packageca-certificates-mozilla,
> >>I guess it is trusted and public available.
> >>OpenSSL shows it correctly
> >>openssl x509 -in TURKTRUST_Certificate_Services_Provider_Root_1.pem.crt
> >>-text -noout
> >>But GNUTLS command
> >>certtool --infile TURKTRUST_Certificate_Services_Provider_Root_1.pem -i
> >
> >Hello,
> >  This must be the same certificate Kurt reported few days ago. It
> >mis-encodes the country name as UTF8String rather than printable
> >string, and this is the reason decoding fails.
> >RFC5280 is strict on the encoding of countryName and that is a PrintableString:
> >X520countryName ::=     PrintableString (SIZE (2))
> >
> >I guess all other implementations give some slack to the spec and
> >that's why they didn't notice. How important is that certificate would
> >it make sense to work around and allow such invalid encodings?
>
> If the certificate violates the spec it might also be worth reporting to
> mozilla so they don't accept such certificates in the first place.

This is actually on my list of things to do.  I think have found a
2nd issuer but didn't have time to look at it yet.


Kurt


_______________________________________________
Gnutls-devel mailing list
Gnutls-devel@lists.gnutls.org
http://lists.gnupg.org/mailman/listinfo/gnutls-devel

[Attachment #5 (unknown)]

<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
</head>
<body>
<div>
<div style="FONT-SIZE: 11pt; FONT-FAMILY: Calibri,sans-serif">More likely its a \
signature for traffic isolation.<br> <br>
Sent from my Windows Phone</div>
</div>
<div dir="ltr">
<hr>
<span style="FONT-SIZE: 11pt; FONT-FAMILY: Calibri,sans-serif; FONT-WEIGHT: \
bold">From: </span><span style="FONT-SIZE: 11pt; FONT-FAMILY: Calibri,sans-serif"><a \
href="mailto:kurt@roeckx.be">Kurt Roeckx</a></span><br> <span style="FONT-SIZE: 11pt; \
FONT-FAMILY: Calibri,sans-serif; FONT-WEIGHT: bold">Sent: </span><span \
style="FONT-SIZE: 11pt; FONT-FAMILY: Calibri,sans-serif">‎6/‎6/‎2014 9:12 \
AM</span><br> <span style="FONT-SIZE: 11pt; FONT-FAMILY: Calibri,sans-serif; \
FONT-WEIGHT: bold">To: </span><span style="FONT-SIZE: 11pt; FONT-FAMILY: \
Calibri,sans-serif"><a href="mailto:ludwig.nussel@suse.de">Ludwig \
Nussel</a></span><br> <span style="FONT-SIZE: 11pt; FONT-FAMILY: Calibri,sans-serif; \
FONT-WEIGHT: bold">Cc: </span><span style="FONT-SIZE: 11pt; FONT-FAMILY: \
Calibri,sans-serif"><a \
href="mailto:gnutls-devel@lists.gnutls.org">gnutls-devel@lists.gnutls.org</a></span><br>
 <span style="FONT-SIZE: 11pt; FONT-FAMILY: Calibri,sans-serif; FONT-WEIGHT: \
bold">Subject: </span><span style="FONT-SIZE: 11pt; FONT-FAMILY: \
Calibri,sans-serif">Re: [gnutls-devel] turkish CA certificate</span><br> <br>
</div>
<div class="BodyFragment">
<div class="PlainText">On Fri, Jun 06, 2014 at 03:59:51PM &#43;0200, Ludwig Nussel \
wrote:<br> &gt; Nikos Mavrogiannopoulos wrote:<br>
&gt; &gt;On Fri, Jun 6, 2014 at 8:53 AM, Dmitriy Anisimkov \
&lt;anisimkov@ada-ru.org&gt; wrote:<br> &gt; &gt;&gt;I got this certificate from \
OpenSUSE repository<br> &gt; &gt;&gt;packageca-certificates-mozilla,<br>
&gt; &gt;&gt;I guess it is trusted and public available.<br>
&gt; &gt;&gt;OpenSSL shows it correctly<br>
&gt; &gt;&gt;openssl x509 -in \
TURKTRUST_Certificate_Services_Provider_Root_1.pem.crt<br> &gt; &gt;&gt;-text \
-noout<br> &gt; &gt;&gt;But GNUTLS command<br>
&gt; &gt;&gt;certtool --infile TURKTRUST_Certificate_Services_Provider_Root_1.pem \
-i<br> &gt; &gt;<br>
&gt; &gt;Hello,<br>
&gt; &gt;&nbsp; This must be the same certificate Kurt reported few days ago. It<br>
&gt; &gt;mis-encodes the country name as UTF8String rather than printable<br>
&gt; &gt;string, and this is the reason decoding fails.<br>
&gt; &gt;RFC5280 is strict on the encoding of countryName and that is a \
PrintableString:<br> &gt; &gt;X520countryName ::=&nbsp;&nbsp;&nbsp;&nbsp; \
PrintableString (SIZE (2))<br> &gt; &gt;<br>
&gt; &gt;I guess all other implementations give some slack to the spec and<br>
&gt; &gt;that's why they didn't notice. How important is that certificate would<br>
&gt; &gt;it make sense to work around and allow such invalid encodings?<br>
&gt; <br>
&gt; If the certificate violates the spec it might also be worth reporting to<br>
&gt; mozilla so they don't accept such certificates in the first place.<br>
<br>
This is actually on my list of things to do.&nbsp; I think have found a<br>
2nd issuer but didn't have time to look at it yet.<br>
<br>
<br>
Kurt<br>
<br>
<br>
_______________________________________________<br>
Gnutls-devel mailing list<br>
Gnutls-devel@lists.gnutls.org<br>
<a href="http://lists.gnupg.org/mailman/listinfo/gnutls-devel">http://lists.gnupg.org/mailman/listinfo/gnutls-devel</a><br>
 </div>
</div>
</body>
</html>



_______________________________________________
Gnutls-devel mailing list
Gnutls-devel@lists.gnutls.org
http://lists.gnupg.org/mailman/listinfo/gnutls-devel

[prev in list] [next in list] [prev in thread] [next in thread]

Configure | About | News | Add a list | Sponsored by KoreLogic