Key usage violation in certificate has been detected
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
gnutls26 (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned | ||
Precise |
Fix Released
|
Medium
|
Brian Murray | ||
Quantal |
Fix Released
|
Medium
|
Brian Murray |
Bug Description
[Impact]
A certificate issued to allow _only_ a certain ciphersuite (e.g. RSA) gnutls will fail with a key usage violation unless the server explicitly disables all other ciphersuites.
[Test Case]
+ On a 12.04 system install a valid certificate supporting only RSA
+ Configure an ssl enabled website via apache2 using the above certificate
+ Run gnutls-cli <hostname>
[Regression Potential]
The fix for this was pulled from 13.04 and so far no major bugs have been filed relating to this specific issue.
[Additional]
As stated above the attached debdiff(s) for quantal and precise were pulled from 13.04 where the code just ignores this violation and moves on. I don't know of a better way to handle this and perhaps someone with more knowledge around gnutls could provide more insight.
Changed in gnutls26 (Ubuntu): | |
status: | New → Fix Released |
Changed in gnutls26 (Ubuntu Precise): | |
assignee: | nobody → Brian Murray (brian-murray) |
Changed in gnutls26 (Ubuntu Quantal): | |
assignee: | nobody → Brian Murray (brian-murray) |
Changed in gnutls26 (Ubuntu Precise): | |
importance: | Undecided → Medium |
Changed in gnutls26 (Ubuntu Quantal): | |
importance: | Undecided → Medium |
Changed in gnutls26 (Ubuntu Precise): | |
status: | New → Triaged |
Changed in gnutls26 (Ubuntu Quantal): | |
status: | New → Triaged |
tags: |
added: verification-done-precise verification-needed removed: verification-done |
Here is a link to the upstream commit:
https:/ /gitorious. org/gnutls/ gnutls/ commit/ dbc72ae47b16c67 18cb5e53d4a3120 5bc45d3742/ diffs
and a bit from the NEWS file:
** libgnutls: Always tolerate key usage violation errors from the side of the peer, but also notify via an audit message.