Bug 1445913 - Investigate why a stapled domain constraints extension isn't used by GnuTLS
Summary: Investigate why a stapled domain constraints extension isn't used by GnuTLS
Alias: None
Product: Fedora
Classification: Fedora
Component: gnutls
Version: 26
Hardware: Unspecified
OS: Unspecified
Target Milestone: ---
Assignee: Nikos Mavrogiannopoulos
QA Contact: Fedora Extras Quality Assurance
Depends On:
Blocks: 1444799
TreeView+ depends on / blocked
Reported: 2017-04-26 18:33 UTC by Kai Engert (:kaie) (inactive account)
Modified: 2017-05-15 04:41 UTC (History)
4 users (show)

Fixed In Version: gnutls-3.5.12-2.fc25
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Last Closed: 2017-05-15 04:41:33 UTC
Type: Bug

Attachments (Terms of Use)
test-uberhacker-stapled-constraint.p11-kit (2.65 KB, text/plain)
2017-04-26 18:35 UTC, Kai Engert (:kaie) (inactive account)
no flags Details
ca-pem (1.18 KB, text/plain)
2017-04-26 18:35 UTC, Kai Engert (:kaie) (inactive account)
no flags Details
ca-pubkey.pem (1.65 KB, text/plain)
2017-04-26 18:36 UTC, Kai Engert (:kaie) (inactive account)
no flags Details

System ID Private Priority Status Summary Last Updated
Red Hat Bugzilla 1141241 1 None None None 2021-01-20 06:05:38 UTC

Description Kai Engert (:kaie) (inactive account) 2017-04-26 18:33:35 UTC
I tried to setup a test case for the example that Nikos documented here:

I created a test CA certificate without constraints,
then used the instructions to produce a configuration file in the .p11-kit file format.

It doesn't work as expected, gnutls-cli allows connections to a domain outside the name space.

Either I've made a mistake, or the feature doesn't work as expected.
Let's investigate what's wrong.

I'll attach a test CA certificate in PEM format,
the public key PEM file I've extracted from it,
and the .p11-kit configuration file I've created based on that.

The constraints extension string was created using the 
  ./nconstraints .xn--berhcker-3za9u.de
which produced

I've setup two test sites, that use certificates issued by the test CA:

(a) https://stapled-host1.xn--berhcker-3za9u.de/
(b) https://uberhacker-stapled-constraint-ca.kuix.de/

(a) should work, (b) should fail

However, with the attached configuration, (b) gnutls-cli connects without error.

Comment 1 Kai Engert (:kaie) (inactive account) 2017-04-26 18:35:00 UTC
Created attachment 1274358 [details]

This file was copied to /etc/pki/ca-trust/source on a F26 system.

Comment 2 Kai Engert (:kaie) (inactive account) 2017-04-26 18:35:47 UTC
Created attachment 1274359 [details]

Comment 3 Kai Engert (:kaie) (inactive account) 2017-04-26 18:36:10 UTC
Created attachment 1274360 [details]

Comment 4 Fedora Update System 2017-05-12 13:59:00 UTC
gnutls-3.5.12-2.fc25 has been submitted as an update to Fedora 25. https://bodhi.fedoraproject.org/updates/FEDORA-2017-c4c915ec1b

Comment 5 Fedora Update System 2017-05-15 04:41:33 UTC
gnutls-3.5.12-2.fc25 has been pushed to the Fedora 25 stable repository. If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.