Service Desk (from quentin.gouchet@gmail.com): GnuTLS does not ncheck for crlSign field
OS: Fedora 28
Using:
gnutls-3.6.3-4.fc28.x86_64
openssl version: openssl-1.1.0h-3.fc28.x86_64 Create a CA certificate which does not contain the cRLSign value in the extendedKeyUsage field. You can verify that the create CA does not have this value by running: $ openssl x509 -in certs/rootCA.cert -noout -text | grep -i 'crl'
Start an SSL server; $ openssl s_server -CAfile certs/rootCA.cert -cert certs/server.cert -key key/server.key -accept 443
Connect using GnuTLS Client: $ gnutls-cli --x509cafile=certs/rootCA.cert --x509crlfile=crl/rootCA.crl Server
The gnutls-cli command should not succeed given that the rootCA.cert does not contain the crRLSign attribute in the extendedKeyUsage field.
Best regards, Quentin