On 01.07.2015 09:45, Nikos Mavrogiannopoulos wrote: > On Tue, 2015-06-30 at 15:16 +0200, Andreas Freimuth wrote: >> Hi all, >> >> I have a problem with the gnutls validating a certificate path. Can >> someone tell me if it is a mistake in the Certs, or a bug in GnuTLS? >> >> Relevent parts of the Certs: >> == server.crt == >> Subject: C=US, O=Foo Bar Inc., CN=bazz.foobar.com >> X509v3 Subject Alternative Name: >> DNS:update.foobar.com, DNS:mx.foobar.email >> == CA == >> X509v3 Name Constraints: >> Permitted: >> DNS:foobar.com >> DNS:foobar.email >> DirName: C = US, O = Foo Bar Inc. >> Excluded: >> DNS:www.foobar.com >> DNS:www.foobar.email >> IP:0.0.0.0/0.0.0.0 >> IP:0:0:0:0:0:0:0:0/0:0:0:0:0:0:0:0 > > That looks like a bug in gnutls. The reason it is rejected is because > you have an IP address constraint which is not checked by gnutls. That > shouldn't have been rejected though because there is no IP address set > in the server certificate. Anyway the simple fix is to remove the IP > constraint which is allow everything anyway.
Thanks. The Workaround works. btw: The IP constraint is a MUST have, by the CA/Browser Forum Baseline Requirements ([1] 7.1.5) And it is not 'allow everything'. It is forbid '0.0.0.0/0' which is forbid everything. > > regards, > Nikos > > -- Andreas Freimuth
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Gnutls-help mailing list [email protected] http://lists.gnupg.org/mailman/listinfo/gnutls-help
