gnutls fails to use Verisign CA cert without a Basic Constraint
Simon Josefsson
simon at josefsson.org
Fri Jan 9 10:56:40 CET 2009
"Douglas E. Engert" <deengert at anl.gov> writes:
> Attached are the server cert (auth2.it.anl.gov), the intermediate cert (f0a38a80.0)
> and the CA self signed cert (7651b327.0)
Thanks, I can reproduce the problem. Should be fixed with this patch:
http://git.savannah.gnu.org/cgit/gnutls.git/commit/
> *BUT* if one trusts both B and C, do we need to verify C?
> Why does the code arount line 265 not stop after finding that B is in the tcas,
> rather then looking for C, and then verifying it?
GnuTLS does not support stopping at intermediate CAs right now, see
doc/TODO:
- Chain verifications.
- Short-cut the certificate verification algorithm before the
root if a middle-CA is trusted.
Fixing this would be useful.
Thanks,
/Simon
More information about the Gnutls-devel
mailing list