mirror of
https://github.com/yuzu-emu/mbedtls.git
synced 2024-12-26 20:45:36 +00:00
179c227203
In the 2.7 branch, test-ca.crt has all the components of its Subject name encoded as PrintableString, because it's generated with our cert_write program, and our code writes all components that way until Mbed TLS 2.14. But the default RSA SHA-256 certificate, server2-sha256.crt, has the O and CN components of its Issuer name encoded as UTF8String, because it was generated with OpenSSL and that's what OpenSSL does, regardless of how those components were encoded in the CA's Subject name. This triggers some overly strict behaviour in some libraries, most notably NSS and GnuTLS (of interest to us in ssl-opt.sh) which won't recognize the trusted root as a possible parent for the presented certificate, see for example: https://github.com/ARMmbed/mbedtls/issues/1033 Fortunately, we have at our disposal a version of test-ca.crt with encodings matching the ones in server2-sha256.crt, in the file test-ca_utf8.crt. So let's append that to gnutls-cli's list of trusted roots, so that it recognizes certs signed by this CA but with the O and CN components as UTF8String. Note: Since https://github.com/ARMmbed/mbedtls/pull/1641 was merged (in Mbed TLS 2.14), we changed how we encode those components, so in the 2.16 branch, cert_write generates test-ca.crt with encodings that matches the ones used by openssl when generating server2-sha256.crt, so the issue of gnutls-cli rejecting server2-sha256.crt is specific to the 2.7 branch. |
||
---|---|---|
.. | ||
.jenkins | ||
configs | ||
data_files | ||
git-scripts | ||
scripts | ||
suites | ||
.gitignore | ||
CMakeLists.txt | ||
compat.sh | ||
Descriptions.txt | ||
Makefile | ||
ssl-opt.sh |