Bug#514807: libgnutls13: Security update causes "TLS certificate verification: Error, Unknown error"

Simon Josefsson simon at josefsson.org
Wed Feb 11 16:42:21 UTC 2009

Simon Josefsson <simon at josefsson.org> writes:

> The reason gnutls-cli doesn't complain is because it contains this code:
>   /* there are some CAs that have a v1 certificate *%&@#*%&
>    */
>   gnutls_certificate_set_verify_flags (xcred,
> 				       GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT);
> I don't recommend doing the same in other applications, and we should
> probably remove it from gnutls-cli too.  It may be useful to create a
> parameter in other tools to enable the flag on a per-case basis, though.

FWIW, I've worked on this in the gnutls 2.7.x branch.  gnutls-cli no
longer accepts V1 CAs by default, and there is a new --priority token
%VERIFY_ALLOW_X509_V1_CA_CRT to enable it for those that needs it.  The
priority string approach is what we recommend applications expose to
their users for configuring GnuTLS internal details.


More information about the Pkg-gnutls-maint mailing list