Can't connect to websites with the certificate "TWCA Global Root CA" in the chain due to missing subject key identifier
Description of problem:
Programs using GnuTLS, including
gnutls-cli and WebKitGTK-based browsers (e.g., GNOME epiphany), can't connect to websites with the certificate "TWCA Global Root CA" in the chain.
Take www.ntu.edu.tw as an example. In the server-provided certificate chain, the first intermediate CA "TWCA Secure SSL Certification Authority" has authority key identifier
48:db:cd:de:8e:e9:49:72:5a:88:e8:b1:d8:3d:07:b3:b9:6b:66:50. The second intermediate CA in the chain "TWCA Global Root CA" has the matching subject key identifier
48:db:cd:de:8e:e9:49:72:5a:88:e8:b1:d8:3d:07:b3:b9:6b:66:50, so ideally there are no problems.
The problem is, on Arch Linux, GnuTLS is configured to use p11-kit for checking certificate chains . Also,
certdata.txt from Mozilla NSS is used as the default trust store. In certdata.txt, the certificate "TWCA Global Root CA" is also included as a trusted CA, and the corresponding certificate does not have a subject key identifier. As a result,
A workaround is removing "TWCA Global Root CA" from the system trust store. After that all GnuTLS-based programs work just fine.
Version of gnutls used:
Distributor of gnutls (e.g., Ubuntu, Fedora, RHEL)
Steps to Reproduce:
- P11_KIT_DEBUG=all gnutls-cli -d 3 www.ntu.edu.tw
- P11_KIT_DEBUG=all gnutls-cli -d 3 www.citi.sinica.edu.tw
- P11_KIT_DEBUG=all gnutls-cli -d 3 www.twca.com.tw
The other two websites yields similar results.
gnutls-cli connects to the specified website and waits for input.