gnutls fails to use Verisign CA cert without a Basic Constraint

Douglas E. Engert deengert at
Fri Jan 9 18:59:47 CET 2009

Simon Josefsson wrote:

> The default is to reject V1 CA's, so the application need to supply
> either flag if they want a particular behaviour.
> By default, gnutls_x509_crt_list_verify rejects V1 CAs, but it takes a
> flags parameter.  If you call the verification through
> gnutls_session_verify_peers, you can use the
> gnutls_certificate_set_verify_flags function to set the flags to use
> (like cli.c does).

That will be a problem, as the application is ldap used by nss-ldap.
I have not looked at how they call gnutls, but we don't want to have to
changes these too.

One could argue the application already provides the list of CA certs
it is willing to trust, so why does it need to provide an additional flag?

If the code change on you TODO list to stop when an intermediate CA cert
is found on the trusted CA list, then this would solve my problem,
as the intermediate cert is V3 and has CA:TRUE, and is trusted.


  Douglas E. Engert  <DEEngert at>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444

More information about the Gnutls-devel mailing list