gnutls fails to use Verisign CA cert without a Basic Constraint

Simon Josefsson simon at josefsson.org
Fri Jan 9 10:56:40 CET 2009


"Douglas E. Engert" <deengert at anl.gov> writes:

> Attached are the server cert (auth2.it.anl.gov), the intermediate cert (f0a38a80.0)
> and the CA self signed cert (7651b327.0)

Thanks, I can reproduce the problem.  Should be fixed with this patch:

 http://git.savannah.gnu.org/cgit/gnutls.git/commit/

> *BUT* if one trusts both B and C, do we need to verify C?
> Why does the code arount line 265 not stop after finding that B is in the tcas,
> rather then looking for C, and then verifying it?

GnuTLS does not support stopping at intermediate CAs right now, see
doc/TODO:

- Chain verifications.
  - Short-cut the certificate verification algorithm before the
    root if a middle-CA is trusted.

Fixing this would be useful.

Thanks,
/Simon





More information about the Gnutls-devel mailing list