Skip to content

GitLab

  • Projects
  • Groups
  • Snippets
  • Help
    • Loading...
  • Help
    • Help
    • Support
    • Community forum
    • Submit feedback
    • Contribute to GitLab
    • Switch to GitLab Next
  • Sign in / Register
GnuTLS
GnuTLS
  • Project overview
    • Project overview
    • Details
    • Activity
    • Releases
  • Repository
    • Repository
    • Files
    • Commits
    • Branches
    • Tags
    • Contributors
    • Graph
    • Compare
    • Locked Files
  • Issues 203
    • Issues 203
    • List
    • Boards
    • Labels
    • Service Desk
    • Milestones
    • Iterations
  • Merge requests 11
    • Merge requests 11
  • Requirements
    • Requirements
    • List
  • CI/CD
    • CI/CD
    • Pipelines
    • Jobs
    • Schedules
    • Test Cases
  • Operations
    • Operations
    • Incidents
    • Environments
  • Analytics
    • Analytics
    • CI/CD
    • Code Review
    • Insights
    • Issue
    • Repository
    • Value Stream
  • Wiki
    • Wiki
  • Members
    • Members
  • Activity
  • Graph
  • Create a new issue
  • Jobs
  • Commits
  • Issue Boards
Collapse sidebar
  • gnutls
  • GnuTLSGnuTLS
  • Issues
  • #569

Closed
Open
Created Sep 20, 2018 by Chih-Hsuan Yen@yan12125

Can't connect to websites with the certificate "TWCA Global Root CA" in the chain due to missing subject key identifier

Description of problem:

Programs using GnuTLS, including gnutls-cli and WebKitGTK-based browsers (e.g., GNOME epiphany), can't connect to websites with the certificate "TWCA Global Root CA" in the chain.

Take www.ntu.edu.tw as an example. In the server-provided certificate chain, the first intermediate CA "TWCA Secure SSL Certification Authority" has authority key identifier 48:db:cd:de:8e:e9:49:72:5a:88:e8:b1:d8:3d:07:b3:b9:6b:66:50. The second intermediate CA in the chain "TWCA Global Root CA" has the matching subject key identifier 48:db:cd:de:8e:e9:49:72:5a:88:e8:b1:d8:3d:07:b3:b9:6b:66:50, so ideally there are no problems.

The problem is, on Arch Linux, GnuTLS is configured to use p11-kit for checking certificate chains [1]. Also, certdata.txt from Mozilla NSS is used as the default trust store. In certdata.txt, the certificate "TWCA Global Root CA" is also included as a trusted CA, and the corresponding certificate does not have a subject key identifier. As a result, _gnutls_check_valid_key_id() fails.

A workaround is removing "TWCA Global Root CA" from the system trust store. After that all GnuTLS-based programs work just fine.

[1] https://git.archlinux.org/svntogit/packages.git/tree/trunk/PKGBUILD?h=packages/gnutls#n36

Version of gnutls used:

3.5.19

Distributor of gnutls (e.g., Ubuntu, Fedora, RHEL)

Arch Linux

How reproducible:

Steps to Reproduce:

  • P11_KIT_DEBUG=all gnutls-cli -d 3 www.ntu.edu.tw
  • P11_KIT_DEBUG=all gnutls-cli -d 3 www.citi.sinica.edu.tw
  • P11_KIT_DEBUG=all gnutls-cli -d 3 www.twca.com.tw

Actual results:

Output for www.ntu.edu.tw: output.txt

The other two websites yields similar results.

Expected results:

gnutls-cli connects to the specified website and waits for input.

Assignee
Assign to
Release of GnuTLS 3.6.4
Milestone
Release of GnuTLS 3.6.4 (Past due)
Assign milestone
Time tracking
None
Due date
None