dulanshuangqiao created an issue: https://gitlab.com/gnutls/gnutls/-/issues/1672
## Description of problem:
GnuTLS accepts a critical Subject Key Identifier. OpenSSL and WolfSSL reject
it. RFC 5280 requires the ext SKI must be marked as non-critical.
## Version of gnutls used:
gnutls-cli 3.8.9
## Distributor of gnutls (e.g., Ubuntu, Fedora, RHEL)
Ubuntu
## How reproducible:
Steps to Reproduce:
* one certtool --verify --load-ca-certificate RootCA.pem --infile
Cert17408142963.pem
[Cert17408142963.pem](/uploads/7163941bc5e98a343961839ab277cd27/Cert17408142963.pem)[RootCA.pem](/uploads/2eef74ceb38fe45241449d368ea4fe4a/RootCA.pem)
## Actual results:
```
Loaded CAs (1 available)
Setting log level to 10
Subject: CN=www.mycompany1.com,OU=My Unit1,O=My Company1,L=MY
Locality1,ST=My ST1,C=UN
Issuer: CN=www.mycompany.com,OU=My Unit1,O=My Company1,L=MY
Locality1,ST=My ST1,C=UN
Checked against: CN=www.mycompany.com,OU=My Unit1,O=My Company1,L=MY
Locality1,ST=My ST1,C=UN
Signature algorithm: RSA-SHA256
Output: Verified. The certificate is trusted.
Chain verification output: Verified. The certificate is trusted.
```
## Expected results:
Consistent verification results among GnuTLS and other TLS implementations.
OpenSSL:error 34 at 0 depth lookup: unhandled critical extension
WolfSSL:wolfSSL_CertManagerVerify failed with return code -160 and error
message X.509 Critical extension ignored or invalid
--
Reply to this email directly or view it on GitLab:
https://gitlab.com/gnutls/gnutls/-/issues/1672
You're receiving this email because of your account on gitlab.com.
_______________________________________________
Gnutls-devel mailing list
[email protected]
http://lists.gnupg.org/mailman/listinfo/gnutls-devel
