[gnutls-devel] Unable to trust server certificate instead of issueing CA

Nikos Mavrogiannopoulos nmav at gnutls.org
Thu Dec 4 15:27:56 CET 2014

On Wed, Dec 3, 2014 at 8:01 PM, Andreas Metzler <ametzler at bebt.de> wrote:
> Hello,
> This came up on d-d
> <http://article.gmane.org/gmane.linux.debian.devel.general/199833>:
> With gnutls 3.3.* it seems to be impossible to trust server
> certificate instead of the signing authority:

Thanks for bringing that up. Indeed, the use cases were separated
because with the previous approach there was no way to restrict a
server certificate to a particular server. You would have to trust
that server to have the correct DNSnames, and the software adding them
should check whether they are the intended. You could for example
connect to www.example.com, but its certificate may in addition to
www.example.com contain www.google.com as well (or even a wildcard).
That seemed quite easy for an UI which saves them to get wrong, so
support for mixing server with CA certificates was removed when trust
lists were introduced.

That functionality was replaced by
gnutls_x509_trust_list_add_named_crt () and verify_named_crt(), and as
Daniel mentioned also with trust on first use:
. Please feel free to point out any locations in the documentation
that could be improved.


More information about the Gnutls-devel mailing list