This means that anything else which relies on finding issuers, like certificate validation, can also fail. And when client software wants to include a full trust chain on the wire along with a client certificate, it can't. Which leads to authentication failures. My employer uses intermediate CAs which they reissue every three years, with the *same* name. Thus there are about three CAs with the name 'Intel_Intranet_Basic_Issuing_CA_1B'. If you are trying to verify a certificate issued by one of those, and GnuTLS picks the wrong CA based on the name alone, it's going to find that the signature doesn't validate. This is fixed in GnuTLS 3.0.19.
Hm, I think I lie; it's fixed in 3.0.20 not 3.0.19.
Note that this has not been fixed in any LGPLv2.1-licensed version of GnuTLS upstream; the fix is under LGPLv3. If you backport it, you probably need to ask the maintainer for permission or (less sanely) license your entire package under LGPLv3.
(In reply to comment #2) > Note that this has not been fixed in any LGPLv2.1-licensed version of GnuTLS > upstream; the fix is under LGPLv3. If you backport it, you probably need to > ask the maintainer for permission or (less sanely) license your entire > package under LGPLv3. Untrue - it was released in 2.12.20 where the library is still LGPLv2.1. But thanks for this heads up - one more thing to remember to change in the .spec once we will move to 3.0 branch.
Ah right. Nikos has pushed that fix and released 2.12.20 since I identified it. My local git tree still has the gnutls_2_12_x branch at the 2.12.19 release. No problem then (not that asking for permission would likely have been a problem either).
I just ran into this problem... it is definitely a security hazard. Any chance this fix could be pushed?
gnutls-2.12.20-4.fc17 has been submitted as an update for Fedora 17. https://admin.fedoraproject.org/updates/gnutls-2.12.20-4.fc17
gnutls-2.12.14-4.fc16 has been submitted as an update for Fedora 16. https://admin.fedoraproject.org/updates/gnutls-2.12.14-4.fc16
Package gnutls-2.12.20-4.fc17: * should fix your issue, * was pushed to the Fedora 17 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing gnutls-2.12.20-4.fc17' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2012-17641/gnutls-2.12.20-4.fc17 then log in and leave karma (feedback).
Tested, and works as it should.
gnutls-2.12.14-4.fc16 has been pushed to the Fedora 16 stable repository. If problems still persist, please make note of it in this bug report.
gnutls-2.12.20-4.fc17 has been pushed to the Fedora 17 stable repository. If problems still persist, please make note of it in this bug report.