[gnutls-devel] GnuTLS | Unable to verify certificate chain on app.usmobile.com (#1771)
Read-only notification of GnuTLS library development activities
gnutls-devel at lists.gnutls.org
Wed Dec 10 18:53:18 CET 2025
Michael Catanzaro commented: https://gitlab.com/gnutls/gnutls/-/issues/1771#note_2945874272
One comment on your blog post:
> There is only one technical workaround we can implement without severely compromising security: including the cross-signed intermediate certificate directly in the root store. However, I do not anticipate shipping such a change before early February. I doubt that the affected service providers will remain broken until then; they will likely fix the issue on their end, which is the correct solution anyway.
In practice, we know that websites generally only care about whether major browsers accept the chain. We know that both Firefox and Chrome accept this chain. If it's also accepted by Safari, then probably websites will not make any changes. (If Safari rejects the chain, then most websites will probably eventually notice and fix it.)
--
Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1771#note_2945874272
You're receiving this email because of your account on gitlab.com.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnutls-devel/attachments/20251210/6d5a257e/attachment.html>
More information about the Gnutls-devel
mailing list