[prev in list] [next in list] [prev in thread] [next in thread] 

List:       gnutls-dev
Subject:    Re: [gnutls-devel] Name constraint error?
From:       Kurt Roeckx <kurt () roeckx ! be>
Date:       2015-12-20 17:35:26
Message-ID: 20151220173526.GA20576 () roeckx ! be
[Download RAW message or body]

On Sun, Dec 20, 2015 at 07:09:13PM +0200, Nikos Mavrogiannopoulos wrote:
> On Sun, Dec 20, 2015 at 5:37 PM, Andreas Metzler <ametzler@bebt.de> wrote:
> > The error happens at the CA->intermed step.
> > host
> > Issuer: C=GR,O=Aristotle University of Thessaloniki,CN=Aristotle University of \
> >                 Thessaloniki Central CA R5
> > Subject: C=GR,O=Aristotle University of Thessaloniki,OU=IT \
> > Center,CN=cdn.it.auth.gr intermed CA
> > Issuer: C=GR,O=Hellenic Academic and Research Institutions Cert. \
> >                 Authority,CN=Hellenic Academic and Research Institutions RootCA \
> >                 2011
> > Subject: C=GR,O=Aristotle University of Thessaloniki,CN=Aristotle University of \
> > Thessaloniki Central CA R5 root CA
> > Issuer: C=GR,O=Hellenic Academic and Research Institutions Cert. \
> >                 Authority,CN=Hellenic Academic and Research Institutions RootCA \
> >                 2011
> > Subject: C=GR,O=Hellenic Academic and Research Institutions Cert. \
> > Authority,CN=Hellenic Academic and Research Institutions RootCA 2011 Name \
> > Constraints (not critical): Permitted:
> > DNSname: .gr
> > DNSname: .eu
> > DNSname: .edu
> > DNSname: .org
> > RFC822Name: .gr
> > RFC822Name: .eu
> > RFC822Name: .edu
> > RFC822Name: .org
> > I suspect that the Name Constraints might cause the error.
> 
> Indeed. That's one of the few CAs using name constraints and
> unfortunately it uses them wrong.
> I had an open issue at https://gitlab.com/gnutls/gnutls/issues/3
> which was resolved at the 3.4.x branch.

I couldn't remember the details earlier but this certificate is
exactly why OpenSSL changed it's behaviour about a year ago.


Kurt


_______________________________________________
Gnutls-devel mailing list
Gnutls-devel@lists.gnutls.org
http://lists.gnupg.org/mailman/listinfo/gnutls-devel


[prev in list] [next in list] [prev in thread] [next in thread]

Configure | About | News | Add a list | Sponsored by KoreLogic