Can't connect to websites with the certificate "TWCA Global Root CA" in the chain due to missing subject key identifier
Description of problem:
Programs using GnuTLS, including gnutls-cli
and WebKitGTK-based browsers (e.g., GNOME epiphany), can't connect to websites with the certificate "TWCA Global Root CA" in the chain.
Take www.ntu.edu.tw as an example. In the server-provided certificate chain, the first intermediate CA "TWCA Secure SSL Certification Authority" has authority key identifier 48:db:cd:de:8e:e9:49:72:5a:88:e8:b1:d8:3d:07:b3:b9:6b:66:50
. The second intermediate CA in the chain "TWCA Global Root CA" has the matching subject key identifier 48:db:cd:de:8e:e9:49:72:5a:88:e8:b1:d8:3d:07:b3:b9:6b:66:50
, so ideally there are no problems.
The problem is, on Arch Linux, GnuTLS is configured to use p11-kit for checking certificate chains [1]. Also, certdata.txt
from Mozilla NSS is used as the default trust store. In certdata.txt, the certificate "TWCA Global Root CA" is also included as a trusted CA, and the corresponding certificate does not have a subject key identifier. As a result, _gnutls_check_valid_key_id()
fails.
A workaround is removing "TWCA Global Root CA" from the system trust store. After that all GnuTLS-based programs work just fine.
[1] https://git.archlinux.org/svntogit/packages.git/tree/trunk/PKGBUILD?h=packages/gnutls#n36
Version of gnutls used:
3.5.19
Distributor of gnutls (e.g., Ubuntu, Fedora, RHEL)
Arch Linux
How reproducible:
Steps to Reproduce:
- P11_KIT_DEBUG=all gnutls-cli -d 3 www.ntu.edu.tw
- P11_KIT_DEBUG=all gnutls-cli -d 3 www.citi.sinica.edu.tw
- P11_KIT_DEBUG=all gnutls-cli -d 3 www.twca.com.tw
Actual results:
Output for www.ntu.edu.tw: output.txt
The other two websites yields similar results.
Expected results:
gnutls-cli connects to the specified website and waits for input.