Bug#514807: libgnutls13: Security update causes "TLS certificate verification: Error, Unknown error"
Simon Josefsson
simon at josefsson.org
Wed Feb 11 16:42:21 UTC 2009
Simon Josefsson <simon at josefsson.org> writes:
> The reason gnutls-cli doesn't complain is because it contains this code:
>
> /* there are some CAs that have a v1 certificate *%&@#*%&
> */
> gnutls_certificate_set_verify_flags (xcred,
> GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT);
>
> I don't recommend doing the same in other applications, and we should
> probably remove it from gnutls-cli too. It may be useful to create a
> parameter in other tools to enable the flag on a per-case basis, though.
FWIW, I've worked on this in the gnutls 2.7.x branch. gnutls-cli no
longer accepts V1 CAs by default, and there is a new --priority token
%VERIFY_ALLOW_X509_V1_CA_CRT to enable it for those that needs it. The
priority string approach is what we recommend applications expose to
their users for configuring GnuTLS internal details.
/Simon
More information about the Pkg-gnutls-maint
mailing list