A flaw was discovered in the way GnuTLS verify certificate chain provided by remote SSL / TLS server. If the self-signed certificate appears in the middle of the chain, the whole chain will not get verified properly. This allows malicious server to spoof identity of some other server and tick clients using GnuTLS to trust the server, even if the server does not own trusted certificate for common name specified by the client.
The problem seems to have been introduced in following commit:
which first appeared in GnuTLS 1.2.4 released in May 2005:
Update on the flaw description in comment #0:
This issue does not require any crafted self-signed certificate to be listed in the certificate chain. The verification code in the vulnerable versions works as:
- check last certificate in the chain against trusted CA certs
- if last certificate in the chain is self-signed, it is dropped / ignored
- verify possibly shorter certificate chain
It is sufficient for server to provide chain with fake certificate followed by a trusted CA certificate to be successfully verified.
Created attachment 322723 [details]
Proposed patch from the reporter of the issue that upstream plans to use
Public now via:
Fixed upstream in: 2.6.1
Original report from Martin von Gagern:
Original patch contained a bug, different version was proposed:
(only drop last self-signed certificate when chain contains more than once certificate)
The gnutls packages as shipped in Red Hat Enterprise Linux 4 were not affected by this flaw.
gnutls-2.4.2-3.fc10 has been submitted as an update for Fedora 10.
gnutls-2.0.4-4.fc9 has been submitted as an update for Fedora 9.
gnutls-1.6.3-5.fc8 has been submitted as an update for Fedora 8.
gnutls-2.0.4-4.fc9 has been pushed to the Fedora 9 stable repository. If problems still persist, please make note of it in this bug report.
gnutls-1.6.3-5.fc8 has been pushed to the Fedora 8 stable repository. If problems still persist, please make note of it in this bug report.
This issue was addressed in:
Red Hat Enterprise Linux:
gnutls-2.4.2-3.fc10 has been pushed to the Fedora 10 stable repository. If problems still persist, please make note of it in this bug report.