[SCM] GNU gnutls branch, gnutls_2_10_x, updated. gnutls_2_10_0-9-g301635a

Andreas Metzler ametzler at downhill.at.eu.org
Mon Nov 22 18:59:12 CET 2010

On 2010-11-22 Nikos Mavrogiannopoulos <nmav at gnutls.org> wrote:
> On 11/20/2010 03:53 PM, Andreas Metzler wrote:

> >> There is no practical problem with having V1 root CAs, the problem is
> >> with the intermediate (untrusted) and this flag allows only root CAs. If
> >> disabled it fails to verify a large fraction of any root CA list. A flag
> >> that would disallow them would offer the functionality you say, but I
> >> don't think it should be the default (not today with this large set of
> >> V1 CAs at least).
> > [...]
> > 
> > Hello,
> > I have stumbled upon gnutls-cli's changed behavior today and could not
> > find anything in NEWS or Changelog about a policy change. If this
> > stays in, please document it. (simple patch attached, perhaps the manpage
> > should say so, too.)

> There is a note at:
> * Version 2.10.1 (released 2010-07-25)

> [...]

> ** gnutls-cli: Allow verification using V1 CAs.

isn't "allow" too weak? Even 2.8.6 can do this with the correct
options. (--priority  NORMAL:%VERIFY_ALLOW_X509_V1_CA_CRT)

> > Also I think different default values in gnutls-the-library and
> > gnutls-cli are confusing. ("My gnutls using app has problem x" -
> > "Please try to reproduce with gnutls-cli" - "Cannot.") Either
> > GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT is a more sensible default value
> > (AFAIK OpenSSL is using it, and about 50% of all TLS certificates are
> > signed by V1 CAs, e.g.  Go Daddy.) or not. If
> > GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT is truely evil gnutls-cli should
> > not use it by default.

> Unfortunately this is the API since quite long to be changed.
> Applications are to set the required for verification flags. A way to
> solve this would be to make a higher level verification procedure
> (functionality). It is not on my immediate plans though.

Actually the implemented API has changed in the no too distant past,
versions before 2.4.3 accepted V1 CA certs.

cu andreas
`What a good friend you are to him, Dr. Maturin. His other friends are
so grateful to you.'
`I sew his ears on from time to time, sure'

More information about the Gnutls-devel mailing list