gnutls fails to use Verisign CA cert without a Basic Constraint

Douglas E. Engert deengert at
Fri Jan 9 17:40:53 CET 2009

Simon Josefsson wrote:
> Simon Josefsson <simon at> writes:
>> "Douglas E. Engert" <deengert at> writes:
>>> Attached are the server cert (, the intermediate cert (f0a38a80.0)
>>> and the CA self signed cert (7651b327.0)
>> Thanks, I can reproduce the problem.  Should be fixed with this patch:
> Sorry, that link was wrong.  For the 2.6.x branch the proper link is:
> Please test the patch and confirm whether or not it works for you.  I
> think we should do a new 2.6.x release to deal with this.

I tried the patch against the Ubuntu version, but it still fails. Looking
at 2.6.3 and the Ubuntu version I don't see any differences in this area.

When using ldasearch, gnutls_x509_crl_verify is called with flags=0.

I don't see where GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT or

I do see that the src/cli.c in the init_global_tls_stuff but cli.c is
a test program(?) and  not part of the lib.

I do see that in 2.6.3 lib/x509/verify.c will XOR?
it at line 444 (2.6.3 version) flags ^= GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT;
But that is too late,
as _gnutls_verify_certificate2 is called at line 402 with flags=0.

Also should line 444 be |= rather the ^= ?

> The latest daily build contains all fixes, so everyone, please test this
> as if it were a new 2.6.x release:
> It is a good time to raise other problems with 2.6.x now.
> Thanks,
> /Simon


  Douglas E. Engert  <DEEngert at>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444

More information about the Gnutls-devel mailing list