Bug#813243: gnutls-bin: Broken Key Usage flags in certificates created with certtool
Thomas Klute
thomas2.klute at uni-dortmund.de
Sat Jan 30 21:05:25 UTC 2016
Package: gnutls-bin
Version: 3.4.8-2
Severity: normal
Tags: upstream patch
I found that certtool writes broken Key Usage extensions to generated
certificates. For example, when using the follwing template (from the
mod_gnutls test suite) to create a CA, neither of the requested flags
(certificate signing and CRL signing) is set.
cn="Testing Authority"
ca
cert_signing_key
crl_signing_key
The key usage extension ends up present but empty. This leads to all
certificates issued by the CA getting rejected because signing
certificates violates the certificate's constraints. I've reported the
bug upstream [1] and there is a simple patch [2]. Please apply it to the
version in Sid.
[1] http://lists.gnutls.org/pipermail/gnutls-devel/2016-January/007861.html
[2] https://gitlab.com/gnutls/gnutls/commit/7d3caedb8df9d04eee9513cb5b3b417ae29927f5
-- System Information:
Debian Release: stretch/sid
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)
Kernel: Linux 4.3.0-1-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages gnutls-bin depends on:
ii libc6 2.21-7
ii libgmp10 2:6.1.0+dfsg-2
ii libgnutls30 3.4.8-2
ii libhogweed4 3.1.1-4
ii libidn11 1.32-3
ii libnettle6 3.1.1-4
ii libopts25 1:5.18.7-3
ii libp11-kit0 0.23.2-3
ii libtasn1-6 4.7-3
ii zlib1g 1:1.2.8.dfsg-2+b1
gnutls-bin recommends no packages.
gnutls-bin suggests no packages.
-- no debconf information
More information about the Pkg-gnutls-maint
mailing list