Bug#507633: libgnutls26: GnuTLS does not know VeriSign any more
Simon Josefsson
simon at josefsson.org
Wed Dec 10 15:32:50 CET 2008
My approach introduced a problem with the pkcs1-padding self-test that
uses certtool --verify-chain, and the self-test assumes that the last
certificate is actually verified against its own public key... so
short-cutting the validation of trust anchors changed the semantics of
one public interface. Sigh. So I have reverted my patch.
Simon Josefsson <simon at josefsson.org> writes:
> I believe that is wrong: with your patch it will fail when the CA is
> self-signed using RSA-MD2.
There aren't many of those around, so I think we can leave it as a
documented bug that self-signed RSA-MD2 certificate cannot be used as a
trust anchor. One might see that as a feature, even. ;)
I've aligned the self-tests with Nikos' approach.
/Simon
More information about the Gnutls-devel
mailing list