GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT breaks certificate verification
hramrach at gmail.com
Tue Oct 30 10:04:27 CET 2012
when this flag is set some certificates cannot be verified.
hermes.jabber.org sends a certificate chain laid out like
S R I where S is the server certificate, R is root certificate, and I
is intermediate certificate which signs S and is signed by R. R is
gnutls-cli version 2.8.6, 3.0.20 and 3.0.22 cannot verify the
certificate. gnutls-cli version 3.1.3 can.
Upgrading gnutls to 3.1 does not enable an application to verify
certificate unless the code setting GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT
is disabled in the application.
I am not sure what this flag is supposed to do but *disabling* the
ability to verify certificates is hopefully not the intention.
As Debian is shipping gnutls 3.0 this is somewhat troublesome if such
certificate chain is supposed to be valid.
Any idea what the problem is here?
More information about the Gnutls-help