[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: gnutls fails to use Verisign CA cert without a Basic Constraint
From: |
Douglas E. Engert |
Subject: |
Re: gnutls fails to use Verisign CA cert without a Basic Constraint |
Date: |
Wed, 14 Jan 2009 11:04:02 -0600 |
User-agent: |
Thunderbird 2.0.0.19 (Windows/20081209) |
Simon Josefsson wrote:
If the patch is over 10 lines long we will need a copyright assignment
before we can apply it though. If you want to speed up the process, you
could fill out the form below now.
I sent in the form to address@hidden They are sending a paper copy
which must be signed and mailed back. This may be a problem, as I will
have to get it OK'ed, which might take weeks.
So here is the short version of a "shorten the cert chain" patch that
is only 10 lines long. Do with it what you want. As this fixes
our problem, I consider it a bug fix.
But you will need to add a check_if_same_cert routine, which can be
taken from the first half of the check_if_ca routine. The line numbers
may be off, but in the 2.6.3 version, it would be inserted at line 394.
This will also solve our problem, as V1 cert will not get used at all
ans the intermediate cert is trusted and is V3.
Thanks.
--
Douglas E. Engert <address@hidden>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444
--- x509/,verify.c 2009-01-06 14:02:41.000000000 -0600
+++ x509/verify.c 2009-01-14 10:47:43.000000000 -0600
@@ -397,6 +482,16 @@
}
}
+ /* Shorten cert chain at point we find a trusted cert */
+ for (i = 1; i < clist_size; i++) {
+ int j;
+ for (j = 0; j < tcas_size; j++) {
+ if (check_if_same_cert (certificate_list[i], trusted_cas[j], flags) ==
1) {
+ clist_size = i;
+ break;
+ }
+ }
+ }
/* Verify the last certificate in the certificate path
* against the trusted CA certificate list.
*
- Re: gnutls fails to use Verisign CA cert without a Basic Constraint, (continued)
- Re: gnutls fails to use Verisign CA cert without a Basic Constraint, Douglas E. Engert, 2009/01/09
- Re: gnutls fails to use Verisign CA cert without a Basic Constraint, Simon Josefsson, 2009/01/10
- Re: gnutls fails to use Verisign CA cert without a Basic Constraint, Nikos Mavrogiannopoulos, 2009/01/10
- Re: gnutls fails to use Verisign CA cert without a Basic Constraint, Simon Josefsson, 2009/01/11
- Re: gnutls fails to use Verisign CA cert without a Basic Constraint, Douglas E. Engert, 2009/01/12
- Re: gnutls fails to use Verisign CA cert without a Basic Constraint, Douglas E. Engert, 2009/01/12
- Re: gnutls fails to use Verisign CA cert without a Basic Constraint, Simon Josefsson, 2009/01/12
- Re: gnutls fails to use Verisign CA cert without a Basic Constraint, Douglas E. Engert, 2009/01/12
- Re: gnutls fails to use Verisign CA cert without a Basic Constraint, Simon Josefsson, 2009/01/12
- Re: gnutls fails to use Verisign CA cert without a Basic Constraint, Douglas E. Engert, 2009/01/12
- Re: gnutls fails to use Verisign CA cert without a Basic Constraint,
Douglas E. Engert <=