Bug#607616: libgnutls26: the GnuTLS searches CA certs by subject and stops on first? (fails on more CA with the same subj)

Václav Ovsík vaclav.ovsik at i.cz
Thu Jan 20 16:58:07 UTC 2011

On Thu, Jan 20, 2011 at 05:22:12PM +0100, Nikos Mavrogiannopoulos wrote:
> Hello,
> Indeed I'm mistaken.
> > The reported problem is about order of certificates with the same
> > subject DN in the repository during verifying certificate. I have server
> > certificates issued by older and newer CA certificate both valid of
> > course. GnuTLS must find the right certificate of CA from two or even
> > more with the same subject DN.
> > I tried to examine in the bug-report, that based on the order of two CA
> > certificates with the same subject DN IN THE REPOSITORY the GnuTLS fails
> > on newer or older server certificate. There was no change on server
> > sides or so. I changed CA cert order only on the client side repository.
> Yes gnutls does stop on first match no matter if expired of not... Is
> there merit in supporting lists that contain duplicates of certificates?

Changing subject DN on certificate renewals is maybe good practice, but
AFAIK not required. Administrators of our company CA (Microsoft CA)
simply did not change it. Their choice, OK.

OpenSSL handles this smoothly and I think it is bug otherwise.
When OpenSSL's c_rehash is called on directory of X.509 certificates, it
numbers hashes with aabbccdd.n, where n is for resolution of the same
Subjects. So when I look into my repository:

zito at bobek:~$ ls -la /etc/ssl/certs|grep ICZ
lrwxrwxrwx 1 root root    18 Jan 19 08:56 0e87c968.0 -> ICZ-Issuing-CA.pem
lrwxrwxrwx 1 root root    20 Jan 19 08:56 0e87c968.1 -> ICZ-Issuing-CA-1.pem
lrwxrwxrwx 1 root root    53 Jan 19 08:52 ICZ-Issuing-CA-1.pem -> /usr/local/share/ca-certificates/ICZ-Issuing-CA-1.crt
lrwxrwxrwx 1 root root    51 Jan 19 08:52 ICZ-Issuing-CA.pem -> /usr/local/share/ca-certificates/ICZ-Issuing-CA.crt
lrwxrwxrwx 1 root root    48 Jan 19 08:52 ICZ-Root-CA.pem -> /usr/local/share/ca-certificates/ICZ-Root-CA.crt
lrwxrwxrwx 1 root root    15 Jan 19 08:56 d0d1f6f2.0 -> ICZ-Root-CA.pem

Certificates ICZ-Issuing-CA.pem and ICZ-Issuing-CA-1.pem (more recent)
have the same hash, so symlinks 0e87c968.0 & 0e87c968.1 exists.
I don't look into OpenSSLs internals how it implements this in its
X509_STORE structures...

The concurrence of two CA certs will remain until older and
everything it issued will expire.


More information about the Pkg-gnutls-maint mailing list