gnutls fails to use Verisign CA cert without a Basic Constraint

Simon Josefsson simon at
Mon Feb 2 13:40:15 CET 2009

"Douglas E. Engert" <deengert at> writes:

> Simon Josefsson wrote:
>> If the patch is over 10 lines long we will need a copyright assignment
>> before we can apply it though.  If you want to speed up the process, you
>> could fill out the form below now.
> I sent in the form to assign at They are sending a paper copy
> which must be signed and mailed back. This may be a problem, as I will
> have to get it OK'ed, which might take weeks.
> So here is the short version of a "shorten the cert chain" patch that
> is only 10 lines long. Do with it what you want. As this fixes
> our problem, I consider it a bug fix.
> But you will need to add a check_if_same_cert routine, which can be
> taken from the first half of the check_if_ca routine. The line numbers
> may be off, but in the 2.6.3 version, it would be inserted at line 394.
> This will also solve our problem, as V1 cert will not get used at all
> ans the intermediate cert is trusted and is V3.

Thanks for the patch.  I started looking at this now, and there is a
small problem: the code removes certificates from the certificate chain
before the CRL code has had a chance to check whether certificates in
the chain are revoked.  I think the best is to move the CRL checking
code up a bit.

I'll try to get a new 2.6.x and 2.4.x release out, and then look further
at getting your patch into the 2.7.x branch.  I'm rather busy this week
though, so may not have time until next week.


More information about the Gnutls-devel mailing list