Bug#507633: libgnutls26: GnuTLS does not know VeriSign any more
Nikos Mavrogiannopoulos
nmav at gnutls.org
Thu Dec 4 20:06:47 CET 2008
Simon Josefsson wrote:
> I don't think MD2 should be required here: chain verification should not
> need to verify the RSA-MD2 self-signature in the CA cert, because that
> cert is marked as trusted.
>
> If there were other MD2 signatures involved, verification should
> definitely fail, but that doesn't seem to be the case with this chain.
>
> It seems this problem is caused by the chain validation algorithm now
> also look at the CA cert, but it didn't before the GNUTLS-SA-2008-3
> patch.
Ouch. Then it seems we correct the previous algorithm and revert to it.
I'll try to check it out.
regards,
Nikos
More information about the Gnutls-devel
mailing list