Hi, gnutls 3.5.x is more strict in certificate decoding and performs various checks in the Time fields to ensure they are properly DER formatted. However, it is seems that this caused regressions with certain certificates generated by ovirt as seen in [0]. I am not sure which software was used to generate the problematic ones, however, it is most likely openssl, or some other open source software. Are you aware of other or similar decoding issues which were a result of 3.5.x being more strict in DER rules?
The options we have are: 1. Ignore the error and insist on DER correctness in input certificates. 2. Allow incorrect formatted time fields in certificates unconditionally, e.g., with a special libtasn1 flag: https://gitlab.com/gnutls/libtasn1/commit/16bad0c72dcdfbe5512cdd6b46b251ab7484e5dc any other option I've missed? While I favor the first for its simplicity, reality has shown over the years we must yield towards the 'work' part. regards, Nikos [0]. https://gitlab.com/gnutls/gnutls/issues/196 _______________________________________________ Gnutls-help mailing list [email protected] http://lists.gnupg.org/mailman/listinfo/gnutls-help
