gnutls fails to use Verisign CA cert without a Basic Constraint

Douglas E. Engert deengert at
Mon Jan 12 16:37:10 CET 2009

Simon Josefsson wrote:
> "Douglas E. Engert" <deengert at> writes:
>> Simon Josefsson wrote:
>>> The default is to reject V1 CA's, so the application need to supply
>>> either flag if they want a particular behaviour.
>>> By default, gnutls_x509_crt_list_verify rejects V1 CAs, but it takes a
>>> flags parameter.  If you call the verification through
>>> gnutls_session_verify_peers, you can use the
>>> gnutls_certificate_set_verify_flags function to set the flags to use
>>> (like cli.c does).
>> That will be a problem, as the application is ldap used by nss-ldap.
>> I have not looked at how they call gnutls, but we don't want to have to
>> changes these too.
>> One could argue the application already provides the list of CA certs
>> it is willing to trust, so why does it need to provide an additional flag?
> I believe it would break ABI/API compatibility to change this now --
> applications assume that V1 CA are rejected since that has been the
> documented behaviour for several years.
> It seems like a bug in the ldap/nss-ldap code that it doesn't pass the
> V1 flag if it really wants GnuTLS to permit V1 CA's.

Its not the application that wants it. As far as I can tell previous versions
of ldap using OpenLDAP do not have the problem, and only after Ubuntu
back ported the December fixes did this problem start occuring.

I understand that you don't want to change your code.

> Nikos, what do you think?  You wrote the code here, and introduced the
> work-around flags to deal with V1 certs.

Also, as Daniel Kahn Gillmor pointed out, to clear the bit
needs this change:

    > -	flags ^= GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT;
    > +	flags &= ~GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT;

But this would not solve the problem either.

> For things that aren't documented, I think we can be pragmatic and come
> up with quick fixes and apply them to the v2.6.x branch as needed.  But
> anything that changes documented and intended behaviour is not
> appropriate for our stable branch IMHO.
>> If the code change on you TODO list to stop when an intermediate CA cert
>> is found on the trusted CA list, then this would solve my problem,
>> as the intermediate cert is V3 and has CA:TRUE, and is trusted.
> Yup.  Fixing that would be neat, and could go onto the v2.7.x branch
> which we could release as the next stable branch relatively quickly.

Actually I wrote a mod on this Friday, to do this. I need to clean it
up today and send it in for your review.

The CA in question is a Verisign cert used to sign an intermediate cert:
So trusting this intermediate V3 cert would work for us.

> /Simon


  Douglas E. Engert  <DEEngert at>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444

More information about the Gnutls-devel mailing list