GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT breaks certificate verification

Michal Suchanek hramrach at gmail.com
Tue Oct 30 10:04:27 CET 2012


Hello,

when this flag is set some certificates cannot be verified.


hermes.jabber.org sends a certificate chain laid out like

S R I  where S is the server certificate, R is root certificate, and I
is intermediate certificate which signs S and is signed by R. R is
known CA.

gnutls-cli version 2.8.6, 3.0.20 and 3.0.22 cannot verify the
certificate. gnutls-cli version 3.1.3 can.

Upgrading gnutls to 3.1 does not enable an application to verify
certificate unless the code setting GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT
is disabled in the application.

I am not sure what this flag is supposed to do but *disabling* the
ability to verify certificates is hopefully not the intention.

As Debian is shipping gnutls 3.0 this is somewhat troublesome if such
certificate chain is supposed to be valid.

Any idea what the problem is here?

Thanks

Michal




More information about the Gnutls-help mailing list