gnutls fails to use Verisign CA cert without a Basic Constraint

Simon Josefsson simon at
Mon Jan 12 16:50:09 CET 2009

"Douglas E. Engert" <deengert at> writes:

> Simon Josefsson wrote:
>> "Douglas E. Engert" <deengert at> writes:
>>> Simon Josefsson wrote:
>>>> The default is to reject V1 CA's, so the application need to supply
>>>> either flag if they want a particular behaviour.
>>>> By default, gnutls_x509_crt_list_verify rejects V1 CAs, but it takes a
>>>> flags parameter.  If you call the verification through
>>>> gnutls_session_verify_peers, you can use the
>>>> gnutls_certificate_set_verify_flags function to set the flags to use
>>>> (like cli.c does).
>>> That will be a problem, as the application is ldap used by nss-ldap.
>>> I have not looked at how they call gnutls, but we don't want to have to
>>> changes these too.
>>> One could argue the application already provides the list of CA certs
>>> it is willing to trust, so why does it need to provide an additional flag?
>> I believe it would break ABI/API compatibility to change this now --
>> applications assume that V1 CA are rejected since that has been the
>> documented behaviour for several years.
>> It seems like a bug in the ldap/nss-ldap code that it doesn't pass the
>> V1 flag if it really wants GnuTLS to permit V1 CA's.
> Its not the application that wants it. As far as I can tell previous
> versions of ldap using OpenLDAP do not have the problem, and only
> after Ubuntu back ported the December fixes did this problem start
> occuring.

The December fixes solved a security problem where some CA certificates
were simply ignored by the validation code, so maybe it only worked by
accident before.

> I understand that you don't want to change your code.

I don't see anything wrong with the code -- with the patch installed on
gnutls 2.6.x, it should behave as per the documentation.

>> For things that aren't documented, I think we can be pragmatic and come
>> up with quick fixes and apply them to the v2.6.x branch as needed.  But
>> anything that changes documented and intended behaviour is not
>> appropriate for our stable branch IMHO.
>>> If the code change on you TODO list to stop when an intermediate CA cert
>>> is found on the trusted CA list, then this would solve my problem,
>>> as the intermediate cert is V3 and has CA:TRUE, and is trusted.
>> Yup.  Fixing that would be neat, and could go onto the v2.7.x branch
>> which we could release as the next stable branch relatively quickly.
> Actually I wrote a mod on this Friday, to do this. I need to clean it
> up today and send it in for your review.
> The CA in question is a Verisign cert used to sign an intermediate cert:
> So trusting this intermediate V3 cert would work for us.

Thanks!  Several people have asked about this feature, solving it would
be useful.

If the patch is over 10 lines long we will need a copyright assignment
before we can apply it though.  If you want to speed up the process, you
could fill out the form below now.


Please email the following information to assign at, and we
will send you the assignment form for your past and future changes.

Please use your full legal name (in ASCII characters) as the subject
line of the message.

[What is the name of the program or package you're contributing to?]

[Did you copy any files or text written by someone else in these changes?
Even if that material is free software, we need to know about it.]

[Do you have an employer who might have a basis to claim to own
your changes?  Do you attend a school which might make such a claim?]

[For the copyright registration, what country are you a citizen of?]

[What year were you born?]

[Please write your email address here.]

[Please write your postal address here.]

[Which files have you changed so far, and which new files have you written
so far?]

More information about the Gnutls-devel mailing list