Skip to content
GitLab

GnuTLS: Consider depth-first ("branching") certificate path building strategy

Description of the feature:

Over the past couple years, there have been a series of blog posts highlighting the need for improved certificate path building strategies in TLS libraries. Notably:

  • Ryan Sleevi (part one, part two) describes a certificate path building strategy based on depth-first search, where path building is part of certificate verification and not a separate initial step in order to ensure the implementation can consider another path if verification of the first path fails.
  • Ian Haken introduces a bettertls test server that evaluates the robustness of TLS client path building, and shares the results for GnuTLS and other clients. Here he calls Ryan's strategy "branched" path building.
  • Scott Helme (part one, part two, and part three, part four) provide additional background and motivation. (Most of this will already be familiar to TLS library developers.)

To the best of my knowledge, GnuTLS's current path building strategy is currently sufficient for compatibility with today's web. That said, it would be prudent to consider whether GnuTLS should adopt Ryan's suggested path building strategy, which would allow passing the bettertls tests. This might improve confidence that GnuTLS will be unaffected by future incidents where a large number of websites break after a particular root certificate expiration, similar to #1008 (closed).

Applications that this feature may be relevant to:

All

Is this feature implemented in other libraries (and which)

According to this blog post this path building strategy is implemented by: Rusttls, Go, Java, LibreSSL, Firefox, Chromium

Notably not implemented by: OpenSSL, BoringSSL