Bug#507633: libgnutls26: GnuTLS does not know VeriSign any more

Simon Josefsson simon at josefsson.org
Wed Dec 10 15:32:50 CET 2008

My approach introduced a problem with the pkcs1-padding self-test that
uses certtool --verify-chain, and the self-test assumes that the last
certificate is actually verified against its own public key...  so
short-cutting the validation of trust anchors changed the semantics of
one public interface.  Sigh.  So I have reverted my patch.

Simon Josefsson <simon at josefsson.org> writes:

> I believe that is wrong: with your patch it will fail when the CA is
> self-signed using RSA-MD2.

There aren't many of those around, so I think we can leave it as a
documented bug that self-signed RSA-MD2 certificate cannot be used as a
trust anchor.  One might see that as a feature, even. ;)

I've aligned the self-tests with Nikos' approach.


More information about the Gnutls-devel mailing list