A flaw was discovered in the way GnuTLS verify certificate chain provided by remote SSL / TLS server. If the self-signed certificate appears in the middle of the chain, the whole chain will not get verified properly. This allows malicious server to spoof identity of some other server and tick clients using GnuTLS to trust the server, even if the server does not own trusted certificate for common name specified by the client.
The problem seems to have been introduced in following commit: http://repo.or.cz/w/gnutls.git?a=commitdiff;h=c154545b8a3df4f7d06c6aa335c18740cbecf57a which first appeared in GnuTLS 1.2.4 released in May 2005: http://lists.gnupg.org/pipermail/gnutls-dev/2005-May/000875.html
Update on the flaw description in comment #0: This issue does not require any crafted self-signed certificate to be listed in the certificate chain. The verification code in the vulnerable versions works as: - check last certificate in the chain against trusted CA certs - if last certificate in the chain is self-signed, it is dropped / ignored - verify possibly shorter certificate chain It is sufficient for server to provide chain with fake certificate followed by a trusted CA certificate to be successfully verified.
Created attachment 322723 [details] Proposed patch from the reporter of the issue that upstream plans to use
Public now via: http://article.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/3215 http://www.gnu.org/software/gnutls/security.html Fixed upstream in: 2.6.1
Original report from Martin von Gagern: http://article.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/3217
Original patch contained a bug, different version was proposed: http://article.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/3224 (only drop last self-signed certificate when chain contains more than once certificate)
The gnutls packages as shipped in Red Hat Enterprise Linux 4 were not affected by this flaw.
gnutls-2.4.2-3.fc10 has been submitted as an update for Fedora 10. http://admin.fedoraproject.org/updates/gnutls-2.4.2-3.fc10
gnutls-2.0.4-4.fc9 has been submitted as an update for Fedora 9. http://admin.fedoraproject.org/updates/gnutls-2.0.4-4.fc9
gnutls-1.6.3-5.fc8 has been submitted as an update for Fedora 8. http://admin.fedoraproject.org/updates/gnutls-1.6.3-5.fc8
gnutls-2.0.4-4.fc9 has been pushed to the Fedora 9 stable repository. If problems still persist, please make note of it in this bug report.
gnutls-1.6.3-5.fc8 has been pushed to the Fedora 8 stable repository. If problems still persist, please make note of it in this bug report.
This issue was addressed in: Red Hat Enterprise Linux: http://rhn.redhat.com/errata/RHSA-2008-0982.html Fedora: https://admin.fedoraproject.org/updates/F8/FEDORA-2008-9600 https://admin.fedoraproject.org/updates/F9/FEDORA-2008-9530
gnutls-2.4.2-3.fc10 has been pushed to the Fedora 10 stable repository. If problems still persist, please make note of it in this bug report.