Bug#514807: libgnutls13: Security update causes "TLS certificate verification: Error, Unknown error"
Edward Allcutt
emallcut at gleim.com
Thu Feb 12 15:21:07 UTC 2009
Simon Josefsson wrote:
> Edward Allcutt <emallcut at gleim.com> writes:
>> That's all very well, but it's a rather big change in functionality
>> for stable. I doubt it would be acceptable to patch all the relevant
>> apps which assume that their list of trusted CAs will actually be used
>> as such.
>
> Right, and I don't think these applications should be patched for two
> reasons:
>
> 1) That would open up for security problems.
Are there any problems other than trusting the V1 certs as CAs? Because
that's what the apps seem to expect.
> 2) The GnuTLS documentation and API has a flag to enable V1 CAs to be
> valid as a CA root, and another flag to enable V1 CAs to be valid as
> an intermediate CA cert. This implies the default is that the certs
> are intended to be disallowed.
I see that as a reason to patch, not a reason not to patch.
--
Edward Allcutt
Network Operations
More information about the Pkg-gnutls-maint
mailing list