Bug 7481 - Certificate chain using different ASN.1 types do not work
Summary: Certificate chain using different ASN.1 types do not work
Alias: None
Product: ThinLinc
Classification: Unclassified
Component: Other (show other bugs)
Version: trunk
Hardware: PC Unknown
: P2 Normal
Target Milestone: 4.12.0
Assignee: Pierre Ossman
Keywords: aleta_tester, prosaic
Depends on:
Reported: 2020-03-24 14:32 CET by Pierre Ossman
Modified: 2020-04-03 14:20 CEST (History)
1 user (show)

See Also:
Acceptance Criteria:


Description Pierre Ossman cendio 2020-03-24 14:32:01 CET
GnuTLS (and hence tlstunnel and tlwebaccess/tlwebadm) will not accept a certificate chain where a subject/issuer pair in the chain are encoded in different ways.

E.g. the issuer field of the server certificate uses PrintableString but the subject of the CA certificate uses UTF8String.

This was forbidden in the original RFC 3280 so that distinguished names could be compared on a binary level. However RFC 5280 has relaxed this and requires the same comparison that LDAP does.

OpenSSL supports this case, but upstream GnuTLS seems to be very sceptical:

Comment 2 Pierre Ossman cendio 2020-03-31 10:27:37 CEST
We have suggested a fix to upstream that they seem okay with:

Comment 4 Pierre Ossman cendio 2020-03-31 11:39:26 CEST
Should be fixed now.

Tester should hopefully be able to use the instructions here to generate certificates that exhibit this issue:


Otherwise talk to me to use the ones I have.
Comment 5 Alex Tanskanen cendio 2020-04-03 14:20:47 CEST
Reproduced this problem on 4.11.0 where the full chain of certificates was not returned. Using the same certificates I tested this on build 6436 and the complete chain was returned. 

To verify that certificates chains still works as intended I:
 * expanded the chain 
 * tested with fewer certs
 * issued multiple certs from one CA and switching between those.

to see if the complete chain was shown, which it was. It works fine now so closing this.

Note You need to log in before you can comment on or make changes to this bug.