GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT breaks certificate verification
Nikos Mavrogiannopoulos
nmav at gnutls.org
Tue Oct 30 14:22:02 CET 2012
On Tue, Oct 30, 2012 at 2:17 PM, Nikos Mavrogiannopoulos
<nmav at gnutls.org> wrote:
> The GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT is a dangerous flag and you
> shouldn't use it unless you really know the consequences. In short it
> means that an end-user certificate may pretend to be a CA.
Sorry, my comments were for the GNUTLS_VERIFY_ALLOW_ANY_X509_V1_CA_CRT
flag which you don't use. The flag GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT
is enabled by default so you don't have to set it.
regards,
Nikos
More information about the Gnutls-help
mailing list