[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT breaks certificate verification
From: |
Michal Suchanek |
Subject: |
Re: GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT breaks certificate verification |
Date: |
Tue, 30 Oct 2012 15:41:38 +0100 |
On 30 October 2012 15:17, Nikos Mavrogiannopoulos <address@hidden> wrote:
> On Tue, Oct 30, 2012 at 2:28 PM, Michal Suchanek <address@hidden> wrote:
>
>>> Now for the issue you see. It is because you do not set the flag
>>> GNUTLS_VERIFY_ALLOW_UNSORTED_CHAIN. If you set this flag then unsorted
>>> chains will be sorted prior to verification. The reason you see this
>>> failure is because this flag is enabled by default on a credentials
>>> structure, unless it is overridden by other flags as you do.
>> So all the examples using gnutls_certificate_set_verify_flags are
>> bogus because they replace the defualt flags and break the
>> verification.
>
> Which examples do you refer to? However, an update_flags may be
> helpful indeed. I'll check it.
Don't know where the software author copied that line but eg. here
http://www.gnu.org/software/gnutls/manual/html_node/Digital-signatures.html
the manual advises to use set_verify_flags.
Thanks
Michal