Skip to content

ephemeral TLS certificate incompatible with GnuTLS and NSS libraries

Summary

It seems that GnuTLS and NSS libraries do not accept ephemeral TLS certificate we generate internally in named.

BIND version used

  • ~"Affects v9.17": 47a99158
  • openssl 1.1.1.m-1
  • gnutls 3.7.2-2
  • firefox 95.0.2-1

Arch Linux, 64-bit x86_64.

Steps to reproduce

  • Configure BIND to use ephemeral TLS certificate: named.conf (It does not matter if it is DoT or DoH.)
  • Try to connect to BIND over TLS using GnuTLS or Firefox (NSS) libraries.

What is the current bug behavior?

  • GnuTLS reports:
$ gnutls-cli --no-ca-verification 127.0.0.1:4433
Connecting to '127.0.0.1:4433'...
*** Fatal error: Error in parsing.
  • Firefox reports:
An error occurred during a connection to 127.0.0.1:4433. Peer’s certificate has an invalid signature.

Error code: SEC_ERROR_BAD_SIGNATURE

What is the expected correct behavior?

Well, all usual libraries should be able to use the cert.

Relevant configuration files

named.conf

Relevant logs and/or screenshots

GnuTLS debug log: gnutls.log (generated using -d 999) PCAP: pcap pre-master secrets: tlskeys

To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information