Bug#507633: libgnutls26: GnuTLS does not know VeriSign any more

Nikos Mavrogiannopoulos nmav at gnutls.org
Wed Dec 10 18:03:24 CET 2008

Simon Josefsson wrote:
> My approach introduced a problem with the pkcs1-padding self-test that
> uses certtool --verify-chain, and the self-test assumes that the last
> certificate is actually verified against its own public key...  so
> short-cutting the validation of trust anchors changed the semantics of
> one public interface.  Sigh.  So I have reverted my patch.
> Simon Josefsson <simon at josefsson.org> writes:
>> I believe that is wrong: with your patch it will fail when the CA is
>> self-signed using RSA-MD2.
> There aren't many of those around, so I think we can leave it as a
> documented bug that self-signed RSA-MD2 certificate cannot be used as a
> trust anchor.  One might see that as a feature, even. ;)
> I've aligned the self-tests with Nikos' approach.

What I don't understand is why it fails with my approach. Since I remove
the trusted certificate from the chain it shouldn't be an issue. For
example this issue does not occur any more with
hbci-pintan-rp.s-hbci.de. On which cases did you notice that?


More information about the Gnutls-devel mailing list