Re: [SCM] GNU gnutls branch, gnutls_2_10_x, updated. gnutls_2_10_0-9-g301635a

[Andreas Metzler]

On 2010-07-13 Nikos Mavrogiannopoulos <address@hidden> wrote:
> Simon Josefsson wrote:
>> "Nikos Mavrogiannopoulos" <address@hidden> writes:

>>> +  gnutls_certificate_set_verify_flags(xcred, 
>>> GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT);
 
>> What was the reason for this change?  Do we want to do this
>> unconditionally?  Maybe we could introduce a --permit-v1-cas flag?  I'd
>> rather prefer to treat V1 CAs as broken-by-default...

> There is no practical problem with having V1 root CAs, the problem is
> with the intermediate (untrusted) and this flag allows only root CAs. If
> disabled it fails to verify a large fraction of any root CA list. A flag
> that would disallow them would offer the functionality you say, but I
> don't think it should be the default (not today with this large set of
> V1 CAs at least).
[...]

Hello,

I have stumbled upon gnutls-cli's changed behavior today and could not
find anything in NEWS or Changelog about a policy change. If this
stays in, please document it. (simple patch attached, perhaps the manpage
should say so, too.)

Also I think different default values in gnutls-the-library and
gnutls-cli are confusing. ("My gnutls using app has problem x" -
"Please try to reproduce with gnutls-cli" - "Cannot.") Either
GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT is a more sensible default value
(AFAIK OpenSSL is using it, and about 50% of all TLS certificates are
signed by V1 CAs, e.g.  Go Daddy.) or not. If
GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT is truely evil gnutls-cli should
not use it by default.

cu andreas