http://bugzilla.novell.com/show_bug.cgi?id=496385 Summary: gnutls-cli fails to verify certificate name Classification: openSUSE Product: openSUSE 11.0 Version: Final Platform: All OS/Version: All Status: NEW Severity: Critical Priority: P5 - None Component: Network AssignedTo: bnc-team-screening@forge.provo.novell.com ReportedBy: matthias.andree@gmx.de QAContact: qa@suse.de Found By: --- User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; de; rv:1.9.0.8) Gecko/2009032609 Firefox/3.0.8 (.NET CLR 3.5.30729) (flagged this bug "critical" as it can cause sensitive information to leak to untrusted computers) gnutls-cli version 2.2.2 does not verify if the certificate's CommonName matches the actual server name given on the command line; for instance: wget http://www.pki.dfn.de/fileadmin/PKI/zertifikate/deutsche-telekom-root-ca-2.p... gnutls-cli --x509cafile deutsche-telekom-root-ca-2.pem -p 443 svn-serv2.cs.uni-paderborn.de (svn-serv2.cs... may have disappeared when this report is read; the certificate has CN=svn-serv.cs... without the "2".) Please consider backporting a newer gnutls-cli version or patching the existing one if that would introduce incompatibilities. Reproducible: Always Steps to Reproduce: Install gnutls-2.2.2-17.2 on openSUSE 11.0, then run the wget and gnutls-cli commands above. Actual Results: GnuTLS-cli 2.2.2 yields: - Certificate[0] info: # The hostname in the certificate does NOT match 'svn-serv2.cs.uni-paderborn.de'. # valid since: Tue Jan 6 14:47:33 CET 2009 # expires at: Sun Jan 5 14:47:33 CET 2014 # fingerprint: DA:FE:F6:12:29:99:CC:CE:D3:CD:E6:94:4B:C9:BE:52 # Subject's DN: C=DE,ST=Nordrhein-Westfalen,L=Paderborn,O=Universitaet Paderborn,OU=IRB (Informatik Rechner Betriebsgruppe),CN=svn-serv.cs.uni-paderborn.de # Issuer's DN: C=DE,O=Universitaet Paderborn,OU=IMT (Zentrum fuer Informations- und Medientechnologien),CN=Universitaet Paderborn CA - G01,EMAIL=ca@uni-paderborn.de but continues through to: - Peer's certificate is trusted which is false - see the "does NOT match" line above. Note that I did not allow --insecure via command line switch. Expected Results: GnuTLS-cli _MUST_ !!! refuse the connection. This appears fixed in a later version (2.4.1 on openSUSE 11.1). -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.