Big CA certificate bundle causes problems with GnuTLS 3.0.11

Janne Snabb snabb at
Wed May 30 05:10:15 CEST 2012

On Tue, 29 May 2012, Sam Varshavchik wrote:

> I suppose someone might want, for some odd reason, to blow a wad of cash on
> having some public CA sign some certs, for their clients, even though it's
> trivial to set up your own cert, and do it yourself for free. But, still, in
> that case, at the very least you should only load /that/ CA, and not the whole
> bundle.

Google is one big e-mail sender that presents a client certificate signed
by one of the ~150 "well-known" CAs (I have not checked which one). There
are other similar but smaller mail senders also.

Janne Snabb / EPIPE Communications
snabb at -

More information about the Gnutls-help mailing list