Re: Intermediate Certificate problem

[Nikos Mavrogiannopoulos]

Simon Brown wrote:
> Hi,

> I use the Wanderlust email client and the Debian packager, Tatsuya has
> recently changed to using GNU TLS from OpenSSL. This has caused a
> problem for me as an IMAP server I use seems to have a certificate
> problem which either didn't exist before or was ignored by OpenSSL.
> The instructions to help diagnose the problem given by Tatsuya the
> packager are shown below with the output. The server's administrators
> claim there is not a problem as Thunderbird on Win32 has no
> problem. Thunderbird does not include the Educational certificate in
> its root store

It seems that the program you are using should set the verification flag
to allow X.509 V.1 certificates. This is done with the
gnutls_certificate_set_verify_flags(xcred,
GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT);

call. For some reason it wasn't default in gnutls-cli as well. I've set
it now.

> I have worked around the problem by adding the intermediate
> certificate to my local store. I would none the less be very grateful
> for any help in locating the cause of the problem.

By default we disable version 1 certificates since it is not possible to
distinguish CA certificates from end-user (server) certificates. If one
is sure that his trusted certificate storage only contains CA
certificates, then this flag should be specified.

regards,
Nikos