[Pkg-gnutls-maint] Bug#402863: gnutls server requests wrong DNs
from the client
Max Kellermann
max at duempel.org
Wed Dec 13 09:05:50 CET 2006
Package: libgnutls13
Version: 1.4.4-3
Tags: patch
When running a service which requests the client to authenticate
itself with a client certificate, the gnutls server will send the
wrong CA DNs to the client. This prevents the client to select the
correct certificate.
Instead of providing a list of trusted CA DNs, the gnutls server sends
a list of their issuers. This violates the SSL protocol specification
section 5.6.4.
In the most basic setups (in which gnutls might have been tested?),
this is not a problem, since the client certificate is signed by the
self-signed root CA, which is by definition its own issuer. In a
complex real world setup, however, client authentication will not
work.
I have reported this problem to upstream yesterday:
http://lists.gnupg.org/pipermail/gnutls-dev/2006-December/001313.html
More information about the Pkg-gnutls-maint
mailing list