Test failure of ‘chainverify’

Nikos Mavrogiannopoulos nmav at gnutls.org
Thu Mar 11 20:58:34 CET 2010

Ludovic Courtès wrote:
> Hello,
> The ‘chainverify’ test currently fails with the latest libtasn1 and
> libgcrypt:

Ok it seems that the test that verifies an expired trusted certificate
fails. That is because the current code considers trusted as ultimately
trusted even for the first certificate in the chain (the previous code
did that for all except for the first one- end user).

This uncovered an issue since there was no consistent treat of the
certificates in the trusted list. I believe the current behavior is fine
and rational (trust unconditionally anything in the trusted list), but
there might be arguments for not allowing weak algorithms and expired
certificates in the trusted list (or have additional flag(s) for them).

What do you think?


More information about the Gnutls-devel mailing list