gnutls fails to use Verisign CA cert without a Basic Constraint

Simon Josefsson simon at
Fri Jan 9 10:56:40 CET 2009

"Douglas E. Engert" <deengert at> writes:

> Attached are the server cert (, the intermediate cert (f0a38a80.0)
> and the CA self signed cert (7651b327.0)

Thanks, I can reproduce the problem.  Should be fixed with this patch:

> *BUT* if one trusts both B and C, do we need to verify C?
> Why does the code arount line 265 not stop after finding that B is in the tcas,
> rather then looking for C, and then verifying it?

GnuTLS does not support stopping at intermediate CAs right now, see

- Chain verifications.
  - Short-cut the certificate verification algorithm before the
    root if a middle-CA is trusted.

Fixing this would be useful.


More information about the Gnutls-devel mailing list