gnutls fails to use Verisign CA cert without a Basic Constraint
Douglas E. Engert
deengert at anl.gov
Fri Jan 9 18:59:47 CET 2009
Simon Josefsson wrote:
> The default is to reject V1 CA's, so the application need to supply
> either flag if they want a particular behaviour.
> By default, gnutls_x509_crt_list_verify rejects V1 CAs, but it takes a
> flags parameter. If you call the verification through
> gnutls_session_verify_peers, you can use the
> gnutls_certificate_set_verify_flags function to set the flags to use
> (like cli.c does).
That will be a problem, as the application is ldap used by nss-ldap.
I have not looked at how they call gnutls, but we don't want to have to
changes these too.
One could argue the application already provides the list of CA certs
it is willing to trust, so why does it need to provide an additional flag?
If the code change on you TODO list to stop when an intermediate CA cert
is found on the trusted CA list, then this would solve my problem,
as the intermediate cert is V3 and has CA:TRUE, and is trusted.
Douglas E. Engert <DEEngert at anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
More information about the Gnutls-devel