Bug 702998 – deal with duplicate/extra certs in TLS cert chain

After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.

Bug 702998 - deal with duplicate/extra certs in TLS cert chain


Summary:	deal with duplicate/extra certs in TLS cert chain


Status:	RESOLVED DUPLICATE of bug 683266

Product:	glib
Classification:	Platform
Component:	network
Version:	unspecified
Hardware:	Other Linux

Importance:	Normal normal
Target Milestone:	---
Assigned To:	gtkdev
QA Contact:	gtkdev

URL:
Whiteboard:

Depends on:
Blocks:	721283

Reported:	2013-06-24 18:16 UTC by Dan Winship
Modified:	2014-01-05 03:37 UTC

See Also:
GNOME target:	---
GNOME version:	---

Description Dan Winship 2013-06-24 18:16:20 UTC

Earlier today, the https-using gnome.org sites were misconfigured to send a certificate chain consisting of their own certificate twice, followed by the CA cert. Firefox handled this fine, but GTlsConnection did not, because it expected the certs to form an actual chain.

As long as there is *some* valid chain from the first cert to a known CA, it doesn't matter (for security purposes) if there are additional certs presented as well, and since Firefox apparently ignores the extra certs in this case, we should too.

Comment 1 Michael Catanzaro 2013-12-30 00:37:09 UTC

This is really similar to Bug #683266

Comment 2 Michael Catanzaro 2014-01-05 03:37:31 UTC


*** This bug has been marked as a duplicate of bug 683266 ***