GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT breaks certificate verification
Michal Suchanek
hramrach at gmail.com
Tue Oct 30 15:41:38 CET 2012
On 30 October 2012 15:17, Nikos Mavrogiannopoulos <nmav at gnutls.org> wrote:
> On Tue, Oct 30, 2012 at 2:28 PM, Michal Suchanek <hramrach at gmail.com> wrote:
>
>>> Now for the issue you see. It is because you do not set the flag
>>> GNUTLS_VERIFY_ALLOW_UNSORTED_CHAIN. If you set this flag then unsorted
>>> chains will be sorted prior to verification. The reason you see this
>>> failure is because this flag is enabled by default on a credentials
>>> structure, unless it is overridden by other flags as you do.
>> So all the examples using gnutls_certificate_set_verify_flags are
>> bogus because they replace the defualt flags and break the
>> verification.
>
> Which examples do you refer to? However, an update_flags may be
> helpful indeed. I'll check it.
Don't know where the software author copied that line but eg. here
http://www.gnu.org/software/gnutls/manual/html_node/Digital-signatures.html
the manual advises to use set_verify_flags.
Thanks
Michal
More information about the Gnutls-help
mailing list