Bug#514807: libgnutls13: Security update causes "TLS certificate verification: Error, Unknown error"

Edward Allcutt emallcut at gleim.com
Thu Feb 12 15:21:07 UTC 2009


Simon Josefsson wrote:
> Edward Allcutt <emallcut at gleim.com> writes:
>> That's all very well, but it's a rather big change in functionality
>> for stable. I doubt it would be acceptable to patch all the relevant
>> apps which assume that their list of trusted CAs will actually be used
>> as such.
> 
> Right, and I don't think these applications should be patched for two
> reasons:
> 
>  1) That would open up for security problems.
Are there any problems other than trusting the V1 certs as CAs? Because 
that's what the apps seem to expect.

>  2) The GnuTLS documentation and API has a flag to enable V1 CAs to be
>     valid as a CA root, and another flag to enable V1 CAs to be valid as
>     an intermediate CA cert.  This implies the default is that the certs
>     are intended to be disallowed.
I see that as a reason to patch, not a reason not to patch.

-- 
Edward Allcutt
Network Operations





More information about the Pkg-gnutls-maint mailing list