The _gnutls_x509_verify_certificate fix

Simon Josefsson simon at
Mon Nov 10 18:33:05 CET 2008

Tomas Mraz <tmraz at> writes:

> Hello,
> given the recent fix in the _gnutls_x509_verify_certificate I have been
> looking at the function. I see there are currently some limitations in
> it. For example it now doesn't allow verification of explicitely trusted
> self-signed site certificate. Is there some other method how this could
> be achieved? If not, then perhaps the test for the self-signed should be
> performed only when clist_size > 1. Also the test for the clist_size
> should be first test of the if().
> The other limitation is that only the last certificate (after removing
> eventual self-signed cert at the end of the chain) is checked against
> the trusted list. That means you can not put just an intermediate CA
> cert into the trusted list to be able to verify the chain.
> What do you think of these limitations, should they be removed?

Hi.  Thanks for looking at the code.  Yes, I would agree that both
situations should be permitted, and consequently that the limitations
should be removed.


More information about the Gnutls-devel mailing list