Test failure of ‘chainverify’
Nikos Mavrogiannopoulos
nmav at gnutls.org
Thu Mar 11 20:58:34 CET 2010
Ludovic Courtès wrote:
> Hello,
>
> The ‘chainverify’ test currently fails with the latest libtasn1 and
> libgcrypt:
Ok it seems that the test that verifies an expired trusted certificate
fails. That is because the current code considers trusted as ultimately
trusted even for the first certificate in the chain (the previous code
did that for all except for the first one- end user).
This uncovered an issue since there was no consistent treat of the
certificates in the trusted list. I believe the current behavior is fine
and rational (trust unconditionally anything in the trusted list), but
there might be arguments for not allowing weak algorithms and expired
certificates in the trusted list (or have additional flag(s) for them).
What do you think?
regards,
Nikos
More information about the Gnutls-devel
mailing list