Re: Bug#507633: libgnutls26: GnuTLS does not know VeriSign any more

[Nikos Mavrogiannopoulos]

Simon Josefsson wrote:

> I don't think MD2 should be required here: chain verification should not
> need to verify the RSA-MD2 self-signature in the CA cert, because that
> cert is marked as trusted.
> 
> If there were other MD2 signatures involved, verification should
> definitely fail, but that doesn't seem to be the case with this chain.
> 
> It seems this problem is caused by the chain validation algorithm now
> also look at the CA cert, but it didn't before the GNUTLS-SA-2008-3
> patch.

Ouch. Then it seems we correct the previous algorithm and revert to it.
I'll try to check it out.

regards,
Nikos