[SCM] GNU gnutls branch, gnutls_2_10_x, updated. gnutls_2_10_0-9-g301635a
simon at josefsson.org
Tue Jul 13 19:13:31 CEST 2010
"Nikos Mavrogiannopoulos" <nmav at gnutls.org> writes:
> + gnutls_certificate_set_verify_flags(xcred, GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT);
What was the reason for this change? Do we want to do this
unconditionally? Maybe we could introduce a --permit-v1-cas flag? I'd
rather prefer to treat V1 CAs as broken-by-default...
Hm. Generally, X.509 validation is quite complex, just like TLS
security policies. I wonder if a X.509 priority string concept would be
useful? Then the user could say --x509-priority
"NORMAL:+VERIFY_ALLOW_X509_V1_CA_CRT" to do the above. Thoughts? The
string could be used to modify how X.509 validation works in many ways.
More information about the Gnutls-devel