[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Intermediate Certificate problem
From: |
Nikos Mavrogiannopoulos |
Subject: |
Re: Intermediate Certificate problem |
Date: |
Thu, 08 Jul 2010 17:59:28 +0200 |
User-agent: |
Thunderbird 2.0.0.24 (X11/20100411) |
Simon Brown wrote:
> Hi,
> I use the Wanderlust email client and the Debian packager, Tatsuya has
> recently changed to using GNU TLS from OpenSSL. This has caused a
> problem for me as an IMAP server I use seems to have a certificate
> problem which either didn't exist before or was ignored by OpenSSL.
> The instructions to help diagnose the problem given by Tatsuya the
> packager are shown below with the output. The server's administrators
> claim there is not a problem as Thunderbird on Win32 has no
> problem. Thunderbird does not include the Educational certificate in
> its root store
It seems that the program you are using should set the verification flag
to allow X.509 V.1 certificates. This is done with the
gnutls_certificate_set_verify_flags(xcred,
GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT);
call. For some reason it wasn't default in gnutls-cli as well. I've set
it now.
> I have worked around the problem by adding the intermediate
> certificate to my local store. I would none the less be very grateful
> for any help in locating the cause of the problem.
By default we disable version 1 certificates since it is not possible to
distinguish CA certificates from end-user (server) certificates. If one
is sure that his trusted certificate storage only contains CA
certificates, then this flag should be specified.
regards,
Nikos