GnuTLS rejects a cert since it cannot parse the critical ext Netscape Cert Type
Description of problem:
GnuTLS rejects a cert since it cannot parse the critical ext Netscape Cert Type. OpenSSL, mbedTLS, and WolfSSL accept it.
Version of gnutls used:
3.5.5, 3.6.13
Distributor of gnutls (e.g., Ubuntu, Fedora, RHEL)
Ubuntu x64
How reproducible:
Steps to Reproduce:
certtool --verify --load-ca-certificate ca.pem --infile seed-4s18-107s39-405s19.pem.pem
Actual results:
certtool --verify --load-ca-certificate ./certs_related/ca.pem --infile ./certs/seed-4s18-107s39-405s19.pem
Note that no verification profile was selected. In the future the medium profile will be enabled by default.
Use --verify-profile low to apply the default verification of NORMAL priority string.
Loaded CAs (1 available)
Subject: serialNumber=serialNumber2,CN=Susan Housley2,DC=DC2,dnQualifier=dnQ2,OU=network security\, Counter-Terrorism Committee,O=Counter-Terrorism Committee,ST=New York State,C=UN
Issuer: CN=DT,OU=UNSC,O=UNGA,ST=NYS,C=UN
Checked against: CN=DT,OU=UNSC,O=UNGA,ST=NYS,C=UN
Signature algorithm: RSA-SHA256
Output: Not verified. The certificate is NOT trusted. The certificate contains an unknown critical extension.
Chain verification output: Not verified. The certificate is NOT trusted. The certificate contains an unknown critical extension.
Expected results:
Consistent verification results among GnuTLS and other TLS implementations.