<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" "http://www.w3.org/TR/REC-html40/loose.dtd">
<html lang="en">
<head>
<meta content="text/html; charset=US-ASCII" http-equiv="Content-Type">
<title>
GitLab
</title>


<style>img {
max-width: 100%; height: auto;
}
</style>
</head>
<body>
<div class="content">

<p style="color: #777777;">
<a href="https://gitlab.com/dueno">Daiki Ueno</a>
<a href="https://gitlab.com/gnutls/gnutls/-/issues/1202#note_566098242">commented</a>:
</p>
<div style="">
<p dir="auto">I took a closer look and realized that the reproducer is a bit special: that is, the last certificate in the chain is an intermediate CA, but there is also another CA in the system trust store, which shares the same key and the DN (Certum Trusted Network CA) but uses SHA-1 for the signature.</p>
<p dir="auto"><a href="https://gitlab.com/gnutls/gnutls/-/merge_requests/1423" data-original="!1423" data-link="false" data-link-reference="false" data-project="179611" data-merge-request="98412520" data-project-path="gnutls/gnutls" data-iid="1423" data-mr-title="x509/verify: treat SHA-1 signed CA in the trusted set differently" data-reference-type="merge_request" data-container="body" data-placement="top" title="" class="gfm gfm-merge_request">!1423</a> would cover this case, but I am not sure if we need a new flag.</p>
</div>


</div>
<div class="footer" style="margin-top: 10px;">
<p style="font-size: small; color: #666;">

<br>
Reply to this email directly or <a href="https://gitlab.com/gnutls/gnutls/-/issues/1202#note_566098242">view it on GitLab</a>.
<br>
You're receiving this email because of your account on gitlab.com.
If you'd like to receive fewer emails, you can
<a href="https://gitlab.com/-/sent_notifications/c9a5813147a3da40aecfbdc1efba579b/unsubscribe">unsubscribe</a>
from this thread or
adjust your notification settings.
<script type="application/ld+json">{"@context":"http://schema.org","@type":"EmailMessage","action":{"@type":"ViewAction","name":"View Issue","url":"https://gitlab.com/gnutls/gnutls/-/issues/1202#note_566098242"}}</script>


</p>
</div>
</body>
</html>