Bug#638595: WWWOFFLE HTTPS now unusable
Simon Josefsson
simon at josefsson.org
Fri Aug 26 15:52:10 UTC 2011
amb at gedanken.demon.co.uk (Andrew M. Bishop) writes:
> Simon Josefsson <simon at josefsson.org> writes:
>
>> amb at gedanken.demon.co.uk (Andrew M. Bishop) writes:
>>
>>> One thing that I noticed during the debugging of this problem is that
>>> the newly created certificates (above) are described by certtool as
>>> "Version: 3" but the WWWOFFLE ones are "Version: 1".
>>
>> V1 CA certs should be permitted in latest GnuTLS, but it was disabled
>> during some releases. I suspect this is not well tested, V1 certs are
>> rare, so there could be some bug. Could you enable certification
>> validation logging somehow? Or run gnutls-cli/gnutls-serv with logging
>> enabled.
>
> Changing the version of the certificate is as simple as changing the
> argument to the gnutls_x509_crt_set_version() function isn't it?
>
> Is there any reason that I shouldn't just change this so that new
> certificates are generated as V3 while old ones remain V1? If there
> is no problem with a system using a mixture of the two certificate
> versions then this would give some future-proofing against gnutls
> changes wouldn't it?
New certs should definitely be V3 certs! There is no reason to use V1
certs unless you are dealing with some already existing legacy V1 CA
certs.
/Simon
More information about the Pkg-gnutls-maint
mailing list