GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT breaks certificate verification

Michal Suchanek hramrach at
Tue Oct 30 15:41:38 CET 2012

On 30 October 2012 15:17, Nikos Mavrogiannopoulos <nmav at> wrote:
> On Tue, Oct 30, 2012 at 2:28 PM, Michal Suchanek <hramrach at> wrote:
>>> Now for the issue you see. It is because you do not set the flag
>>> GNUTLS_VERIFY_ALLOW_UNSORTED_CHAIN. If you set this flag then unsorted
>>> chains will be sorted prior to verification. The reason you see this
>>> failure is because this flag is enabled by default on a credentials
>>> structure, unless it is overridden by other flags as you do.
>> So all the examples using gnutls_certificate_set_verify_flags are
>> bogus because they replace the defualt flags and break the
>> verification.
> Which examples do you refer to? However, an update_flags may be
> helpful indeed. I'll check it.

Don't know where the software author copied that line but eg. here

the manual advises to use set_verify_flags.



More information about the Gnutls-help mailing list