GnuTLS allows unrelated certificates in the certificate chain during client certificate authentication
Description of problem:
GnuTLS allows the client to present, in addition to a valid certificate chain, unrelated additional certificates in its certificate message during client authentication. While this is somewhat allowed in TLS 1.3 it's prohibited in prior versions.
Version of gnutls used:
3.6.13, 3.6.14
Distributor of gnutls (e.g., Ubuntu, Fedora, RHEL)
Compiled from source after cloning the respective branch from GitHub
How reproducible:
Steps to Reproduce:
- Start
gnutls-serv
with-
ROOTv3_CAv3_LEAF_RSAv3__leaf_certificate1.pem for
--x509certfile
-
rsakey_2.pem for
--x509keyfile
-
root.pem for
--x509cafile
- require client certificate
-r
- verify client certificate
--verify-client-cert
-
ROOTv3_CAv3_LEAF_RSAv3__leaf_certificate1.pem for
I am unaware of any currently public tool that allows one to add unrelated certificates in the certificate message during the TLS handshake. Hence I provide two wireshark traces which show a successful handshake, first with an additional certificate after the last intermediate CA certificate and second with an additional certificate between leaf and intermediate CA certificate. Additionally, I provide the certificates used in their order of occurence.
-
First trace AdditionalCertAfterChain.pcapng
-
Second trace AdditionalCertAfterLeaf.pcapng
Key for the leaf certificate:
Actual results:
GnuTLS accepts the certificate chain, apparently ignoring the additional, unrelated certificate.
Expected results:
GnuTLS should reject the certificate chain in TLS 1.2 and prior.