GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT breaks certificate verification

Nikos Mavrogiannopoulos nmav at
Tue Oct 30 14:22:02 CET 2012

On Tue, Oct 30, 2012 at 2:17 PM, Nikos Mavrogiannopoulos
<nmav at> wrote:

> The GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT is a dangerous flag and you
> shouldn't use it unless you really know the consequences. In short it
> means that an end-user certificate may pretend to be a CA.

Sorry, my comments were for the GNUTLS_VERIFY_ALLOW_ANY_X509_V1_CA_CRT
flag which you don't use. The flag GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT
is enabled by default so you don't have to set it.


More information about the Gnutls-help mailing list