[SCM] GNU gnutls branch, gnutls_2_10_x, updated. gnutls_2_10_0-9-g301635a

Simon Josefsson simon at josefsson.org
Tue Jul 13 19:13:31 CEST 2010

"Nikos Mavrogiannopoulos" <nmav at gnutls.org> writes:

> +  gnutls_certificate_set_verify_flags(xcred, GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT);

What was the reason for this change?  Do we want to do this
unconditionally?  Maybe we could introduce a --permit-v1-cas flag?  I'd
rather prefer to treat V1 CAs as broken-by-default...

Hm.  Generally, X.509 validation is quite complex, just like TLS
security policies.  I wonder if a X.509 priority string concept would be
useful?  Then the user could say --x509-priority
"NORMAL:+VERIFY_ALLOW_X509_V1_CA_CRT" to do the above.  Thoughts?  The
string could be used to modify how X.509 validation works in many ways.


More information about the Gnutls-devel mailing list