[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: gnutls fails to use Verisign CA cert without a Basic Constraint

From: Douglas E. Engert
Subject: Re: gnutls fails to use Verisign CA cert without a Basic Constraint
Date: Fri, 09 Jan 2009 11:59:47 -0600
User-agent: Thunderbird (Windows/20081209)

Simon Josefsson wrote:

The default is to reject V1 CA's, so the application need to supply
either flag if they want a particular behaviour.

By default, gnutls_x509_crt_list_verify rejects V1 CAs, but it takes a
flags parameter.  If you call the verification through
gnutls_session_verify_peers, you can use the
gnutls_certificate_set_verify_flags function to set the flags to use
(like cli.c does).

That will be a problem, as the application is ldap used by nss-ldap.
I have not looked at how they call gnutls, but we don't want to have to
changes these too.

One could argue the application already provides the list of CA certs
it is willing to trust, so why does it need to provide an additional flag?

If the code change on you TODO list to stop when an intermediate CA cert
is found on the trusted CA list, then this would solve my problem,
as the intermediate cert is V3 and has CA:TRUE, and is trusted.


 Douglas E. Engert  <address@hidden>
 Argonne National Laboratory
 9700 South Cass Avenue
 Argonne, Illinois  60439
 (630) 252-5444

reply via email to

[Prev in Thread] Current Thread [Next in Thread]