From: Ted Zlatanov <tzz@lifelogs.com>
To: Lars Magne Ingebrigtsen <larsi@gnus.org>
Cc: 19098@debbugs.gnu.org
Subject: bug#19098: 24.4.51; gnutls.c doesn't handle wildcard certificates
Date: Wed, 19 Nov 2014 16:03:21 -0500 [thread overview]
Message-ID: <878uj6c38m.fsf@lifelogs.com> (raw)
In-Reply-To: <m3vbmccrr6.fsf@stories.gnus.org> (Lars Magne Ingebrigtsen's message of "Tue, 18 Nov 2014 19:01:33 +0100")
On Tue, 18 Nov 2014 19:01:33 +0100 Lars Magne Ingebrigtsen <larsi@gnus.org> wrote:
LMI> The new NSM code uncovered this problem:
LMI> --------
LMI> Certificate issued by GeoTrust SSL CA - G3
LMI> Issued to Tumblr, Inc.
LMI> Certificate host name: *.media.tumblr.com
LMI> Public key: RSA, signature: RSA-SHA256, security level: Low
LMI> Valid from: 2014-09-30, valid to: 2016-04-08
LMI> The TLS connection to 33.media.tumblr.com:443 is insecure
LMI> for the following reason:
LMI> certificate could not be verified
LMI> --------
LMI> So the host checking code in, I think, gnutls-negotiate should be
LMI> extended to understand things like "*.media.tumblr.com".
For the hostname check, we use gnutls_x509_crt_check_hostname() which,
according to the docs, will handle wildcards. But that's not the source
of this error :)
The error you cite comes from gnutls.c:
#+begin_src c
ret = fn_gnutls_certificate_verify_peers2 (state, &peer_verification);
#+end_src
and is caused by the GNUTLS_CERT_INVALID flag. But I don't see a hint
anywhere that it does not work with wildcard certs (you have to
explicitly disable them, so the assumption is that they work by
default). Also, if you set `gnutls-verify-error' to t, do you get the
corresponding error in the non-NSM flow? "$HOSTNAME certificate could
not be verified."
Finally, can you verify the cert with gnutls-cli? If it's valid, I'll
ask on the GnuTLS mailing list because I'm probably missing something.
For me it fails:
#+begin_src text
% gnutls-cli 33.media.tumblr.com [nsm]
Resolving '33.media.tumblr.com'...
Connecting to '209.197.3.20:443'...
- Certificate type: X.509
- Got a certificate list of 4 certificates.
- Certificate[0] info:
- subject `C=US,ST=New York,L=New York,O=Tumblr\, Inc.,CN=*.media.tumblr.com', issuer `C=US,O=GeoTrust Inc.,CN=GeoTrust SSL CA - G3', RSA key 2048 bits, signed using RSA-SHA256, activated `2014-09-30 00:00:00 UTC', expires `2016-04-08 23:59:59 UTC', SHA-1 fingerprint `099be258615288fba254ee2cf428422be6c8f3ca'
- Certificate[1] info:
- subject `C=US,O=GeoTrust Inc.,CN=GeoTrust SSL CA - G3', issuer `C=US,O=GeoTrust Inc.,CN=GeoTrust Global CA', RSA key 2048 bits, signed using RSA-SHA256, activated `2013-11-05 21:36:50 UTC', expires `2022-05-20 21:36:50 UTC', SHA-1 fingerprint `5aeaee3f7f2a9449cebafeec68fdd184f20124a7'
- Certificate[2] info:
- subject `C=US,O=GeoTrust Inc.,CN=GeoTrust SSL CA - G3', issuer `C=US,O=GeoTrust Inc.,CN=GeoTrust Global CA', RSA key 2048 bits, signed using RSA-SHA256, activated `2013-11-05 21:36:50 UTC', expires `2022-05-20 21:36:50 UTC', SHA-1 fingerprint `5aeaee3f7f2a9449cebafeec68fdd184f20124a7'
- Certificate[3] info:
- subject `C=US,O=GeoTrust Inc.,CN=GeoTrust Global CA', issuer `C=US,O=GeoTrust Inc.,CN=GeoTrust Global CA', RSA key 2048 bits, signed using RSA-SHA1, activated `2002-05-21 04:00:00 UTC', expires `2022-05-21 04:00:00 UTC', SHA-1 fingerprint `de28f4a4ffe5b92fa3c503d1a349a7f9962a8212'
- The hostname in the certificate matches '33.media.tumblr.com'.
- Peer's certificate issuer is unknown
- Peer's certificate is NOT trusted
- Version: TLS1.2
- Key Exchange: RSA
- Cipher: ARCFOUR-128
- MAC: SHA1
- Compression: NULL
- Handshake was completed
#+end_src
Ted
next prev parent reply other threads:[~2014-11-19 21:03 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-11-18 18:01 bug#19098: 24.4.51; gnutls.c doesn't handle wildcard certificates Lars Magne Ingebrigtsen
2014-11-19 21:03 ` Ted Zlatanov [this message]
2014-12-08 20:11 ` Lars Magne Ingebrigtsen
2014-12-10 16:08 ` Ted Zlatanov
2014-12-10 16:27 ` Lars Magne Ingebrigtsen
2014-12-10 16:34 ` Ted Zlatanov
2014-12-21 12:10 ` Lars Ingebrigtsen
2014-12-24 12:49 ` Ted Zlatanov
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=878uj6c38m.fsf@lifelogs.com \
--to=tzz@lifelogs.com \
--cc=19098@debbugs.gnu.org \
--cc=larsi@gnus.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this external index
https://git.savannah.gnu.org/cgit/emacs.git
https://git.savannah.gnu.org/cgit/emacs/org-mode.git
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.