I tried to setup a test case for the example that Nikos documented here: http://nmav.gnutls.org/2016/06/restricting-scope-of-ca-certificates.html I created a test CA certificate without constraints, then used the instructions to produce a configuration file in the .p11-kit file format. It doesn't work as expected, gnutls-cli allows connections to a domain outside the name space. Either I've made a mistake, or the feature doesn't work as expected. Let's investigate what's wrong. I'll attach a test CA certificate in PEM format, the public key PEM file I've extracted from it, and the .p11-kit configuration file I've created based on that. The constraints extension string was created using the https://github.com/nmav/nconstraints tool ./nconstraints .xn--berhcker-3za9u.de which produced %30%25%06%03%55%1d%1e%04%1e%30%1c%a0%1a%30%18%82%16%2e%78%6e%2d%2d%62%65%72%68%63%6b%65%72%2d%33%7a%61%39%75%2e%64%65 I've setup two test sites, that use certificates issued by the test CA: (a) https://stapled-host1.xn--berhcker-3za9u.de/ (b) https://uberhacker-stapled-constraint-ca.kuix.de/ (a) should work, (b) should fail However, with the attached configuration, (b) gnutls-cli connects without error.
Created attachment 1274358 [details] test-uberhacker-stapled-constraint.p11-kit This file was copied to /etc/pki/ca-trust/source on a F26 system.
Created attachment 1274359 [details] ca-pem
Created attachment 1274360 [details] ca-pubkey.pem
gnutls-3.5.12-2.fc25 has been submitted as an update to Fedora 25. https://bodhi.fedoraproject.org/updates/FEDORA-2017-c4c915ec1b
gnutls-3.5.12-2.fc25 has been pushed to the Fedora 25 stable repository. If problems still persist, please make note of it in this bug report.