Intermediate Certificate problem

Nikos Mavrogiannopoulos nmav at
Thu Jul 8 17:59:28 CEST 2010

Simon Brown wrote:
> Hi,

> I use the Wanderlust email client and the Debian packager, Tatsuya has
> recently changed to using GNU TLS from OpenSSL. This has caused a
> problem for me as an IMAP server I use seems to have a certificate
> problem which either didn't exist before or was ignored by OpenSSL.
> The instructions to help diagnose the problem given by Tatsuya the
> packager are shown below with the output. The server's administrators
> claim there is not a problem as Thunderbird on Win32 has no
> problem. Thunderbird does not include the Educational certificate in
> its root store

It seems that the program you are using should set the verification flag
to allow X.509 V.1 certificates. This is done with the

call. For some reason it wasn't default in gnutls-cli as well. I've set
it now.

> I have worked around the problem by adding the intermediate
> certificate to my local store. I would none the less be very grateful
> for any help in locating the cause of the problem.

By default we disable version 1 certificates since it is not possible to
distinguish CA certificates from end-user (server) certificates. If one
is sure that his trusted certificate storage only contains CA
certificates, then this flag should be specified.


More information about the Gnutls-help mailing list