gnutls fails to use Verisign CA cert without a Basic Constraint

Douglas E. Engert deengert at
Wed Jan 14 18:04:02 CET 2009

Simon Josefsson wrote:
> If the patch is over 10 lines long we will need a copyright assignment
> before we can apply it though.  If you want to speed up the process, you
> could fill out the form below now.

I sent in the form to assign at They are sending a paper copy
which must be signed and mailed back. This may be a problem, as I will
have to get it OK'ed, which might take weeks.

So here is the short version of a "shorten the cert chain" patch that
is only 10 lines long. Do with it what you want. As this fixes
our problem, I consider it a bug fix.

But you will need to add a check_if_same_cert routine, which can be
taken from the first half of the check_if_ca routine. The line numbers
may be off, but in the 2.6.3 version, it would be inserted at line 394.

This will also solve our problem, as V1 cert will not get used at all
ans the intermediate cert is trusted and is V3.



  Douglas E. Engert  <DEEngert at>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: shorten.chain.small.patch.txt
URL: </pipermail/attachments/20090114/2f79c9da/attachment.txt>

More information about the Gnutls-devel mailing list