GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT breaks certificate verification
Michal Suchanek
hramrach at gmail.com
Tue Oct 30 10:04:27 CET 2012
Hello,
when this flag is set some certificates cannot be verified.
hermes.jabber.org sends a certificate chain laid out like
S R I where S is the server certificate, R is root certificate, and I
is intermediate certificate which signs S and is signed by R. R is
known CA.
gnutls-cli version 2.8.6, 3.0.20 and 3.0.22 cannot verify the
certificate. gnutls-cli version 3.1.3 can.
Upgrading gnutls to 3.1 does not enable an application to verify
certificate unless the code setting GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT
is disabled in the application.
I am not sure what this flag is supposed to do but *disabling* the
ability to verify certificates is hopefully not the intention.
As Debian is shipping gnutls 3.0 this is somewhat troublesome if such
certificate chain is supposed to be valid.
Any idea what the problem is here?
Thanks
Michal
More information about the Gnutls-help
mailing list