Bug#638595: WWWOFFLE HTTPS now unusable
Andrew M. Bishop
amb at gedanken.demon.co.uk
Fri Aug 26 15:44:23 UTC 2011
Simon Josefsson <simon at josefsson.org> writes:
> amb at gedanken.demon.co.uk (Andrew M. Bishop) writes:
>
>> One thing that I noticed during the debugging of this problem is that
>> the newly created certificates (above) are described by certtool as
>> "Version: 3" but the WWWOFFLE ones are "Version: 1".
>
> V1 CA certs should be permitted in latest GnuTLS, but it was disabled
> during some releases. I suspect this is not well tested, V1 certs are
> rare, so there could be some bug. Could you enable certification
> validation logging somehow? Or run gnutls-cli/gnutls-serv with logging
> enabled.
Changing the version of the certificate is as simple as changing the
argument to the gnutls_x509_crt_set_version() function isn't it?
Is there any reason that I shouldn't just change this so that new
certificates are generated as V3 while old ones remain V1? If there
is no problem with a system using a mixture of the two certificate
versions then this would give some future-proofing against gnutls
changes wouldn't it?
--
Andrew.
----------------------------------------------------------------------
Andrew M. Bishop amb at gedanken.demon.co.uk
http://www.gedanken.demon.co.uk/
WWWOFFLE users page:
http://www.gedanken.demon.co.uk/wwwoffle/version-2.9/user.html
More information about the Pkg-gnutls-maint
mailing list