[SCM] GNU gnutls branch, gnutls_2_10_x, updated. gnutls_2_10_0-9-g301635a

Nikos Mavrogiannopoulos nmav at gnutls.org
Mon Nov 22 18:04:55 CET 2010

On 11/20/2010 03:53 PM, Andreas Metzler wrote:

>> There is no practical problem with having V1 root CAs, the problem is
>> with the intermediate (untrusted) and this flag allows only root CAs. If
>> disabled it fails to verify a large fraction of any root CA list. A flag
>> that would disallow them would offer the functionality you say, but I
>> don't think it should be the default (not today with this large set of
>> V1 CAs at least).
> [...]
> Hello,
> I have stumbled upon gnutls-cli's changed behavior today and could not
> find anything in NEWS or Changelog about a policy change. If this
> stays in, please document it. (simple patch attached, perhaps the manpage
> should say so, too.)

There is a note at:
* Version 2.10.1 (released 2010-07-25)


** gnutls-cli: Allow verification using V1 CAs.

> Also I think different default values in gnutls-the-library and
> gnutls-cli are confusing. ("My gnutls using app has problem x" -
> "Please try to reproduce with gnutls-cli" - "Cannot.") Either
> GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT is a more sensible default value
> (AFAIK OpenSSL is using it, and about 50% of all TLS certificates are
> signed by V1 CAs, e.g.  Go Daddy.) or not. If
> GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT is truely evil gnutls-cli should
> not use it by default.

Unfortunately this is the API since quite long to be changed.
Applications are to set the required for verification flags. A way to
solve this would be to make a higher level verification procedure
(functionality). It is not on my immediate plans though.


More information about the Gnutls-devel mailing list