Le 13/11/2013 13:30, Igor Sverkos a écrit :
Hello,
thank you for your response. There's one thing in your reply I don't
understand:
Erwann Abalea wrote:
>> It seems to be a valid certificate for OpenSSL, right?
>
> OpenSSL can parse it, yes.
>
> [...]
>
> Reading X.520 shows that the DirectoryString type disallows 0-sized
> elements. So you're right, this isn't a valid X.509 certificate.
>
> [...]
>
> GNUtls is primitive in some aspects, DN parsing is one of them.
> Anyway, the fault is shared between GNUtls and the CA. Not with OpenSSL.
If it isn't a valid X.509 certificate as you agreed, shouldn't openssl
complain when I verify/establish a connection using AUTH TLS which
will use
this certificate?
Well. It could be very strict. Would it solve the problem you have with
gnutls? No.
Does this tolerance have any security impact? No.
So for me it is not a question about "tolerance" like you said OpenSSL's
ASN1 parser is more tolerant than GnuTLS (it uses libtasn1 BTW): If the
certificate is invalid, OpenSSL should tell it and verify shouldn't pass.
Verifying the presented certificate with certtool from gnutls version
3.0.11 on my Ubuntu 13.10 works (haven't checked if they have special
patches for this).
Place your certificate+issuingCA+rootCA in a file, and run "certtool -e
--infile allcerts.pem".
