GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT breaks certificate verification

Michal Suchanek hramrach at
Tue Oct 30 10:04:27 CET 2012


when this flag is set some certificates cannot be verified. sends a certificate chain laid out like

S R I  where S is the server certificate, R is root certificate, and I
is intermediate certificate which signs S and is signed by R. R is
known CA.

gnutls-cli version 2.8.6, 3.0.20 and 3.0.22 cannot verify the
certificate. gnutls-cli version 3.1.3 can.

Upgrading gnutls to 3.1 does not enable an application to verify
certificate unless the code setting GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT
is disabled in the application.

I am not sure what this flag is supposed to do but *disabling* the
ability to verify certificates is hopefully not the intention.

As Debian is shipping gnutls 3.0 this is somewhat troublesome if such
certificate chain is supposed to be valid.

Any idea what the problem is here?



More information about the Gnutls-help mailing list