gnutls fails to use Verisign CA cert without a Basic Constraint

[Simon Josefsson]

"Douglas E. Engert" <deengert at anl.gov> writes:

> Simon Josefsson wrote:
>
>>
>> The default is to reject V1 CA's, so the application need to supply
>> either flag if they want a particular behaviour.
>>
>> By default, gnutls_x509_crt_list_verify rejects V1 CAs, but it takes a
>> flags parameter.  If you call the verification through
>> gnutls_session_verify_peers, you can use the
>> gnutls_certificate_set_verify_flags function to set the flags to use
>> (like cli.c does).
>
> That will be a problem, as the application is ldap used by nss-ldap.
> I have not looked at how they call gnutls, but we don't want to have to
> changes these too.
>
> One could argue the application already provides the list of CA certs
> it is willing to trust, so why does it need to provide an additional flag?

I believe it would break ABI/API compatibility to change this now --
applications assume that V1 CA are rejected since that has been the
documented behaviour for several years.

It seems like a bug in the ldap/nss-ldap code that it doesn't pass the
V1 flag if it really wants GnuTLS to permit V1 CA's.

Nikos, what do you think?  You wrote the code here, and introduced the
work-around flags to deal with V1 certs.

For things that aren't documented, I think we can be pragmatic and come
up with quick fixes and apply them to the v2.6.x branch as needed.  But
anything that changes documented and intended behaviour is not
appropriate for our stable branch IMHO.

> If the code change on you TODO list to stop when an intermediate CA cert
> is found on the trusted CA list, then this would solve my problem,
> as the intermediate cert is V3 and has CA:TRUE, and is trusted.

Yup.  Fixing that would be neat, and could go onto the v2.7.x branch
which we could release as the next stable branch relatively quickly.

/Simon