Re: GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT breaks certificate verification

[Nikos Mavrogiannopoulos]

On Tue, Oct 30, 2012 at 2:22 PM, Michal Suchanek <address@hidden> wrote:

>> Now for the issue you see. It is because you do not set the flag
>> GNUTLS_VERIFY_ALLOW_UNSORTED_CHAIN. If you set this flag then unsorted
>> chains will be sorted prior to verification. The reason you see this
>> failure is because this flag is enabled by default on a credentials
>> structure, unless it is overridden by other flags as you do.
> The verification does not work on gnutls before 3.1 regardless of setting 
> flags.
> Has that default changed in 3.1?

The GNUTLS_VERIFY_ALLOW_UNSORTED_CHAIN was introduced in 3.1 if this
is what you mean.

regards,
Nikos