curl and certificate verification in jessie
J.A. Bezemer
j.a.bezemer at opensourcepartners.nl
Mon Dec 1 19:56:30 UTC 2014
On Mon, 1 Dec 2014, Alessandro Ghedini wrote:
> On lun, dic 01, 2014 at 11:18:19 +0100, Tollef Fog Heen wrote:
>>>> Is this intentional, or is that a bug in either gnutls, curl, or the software
>>>> using these libraries?
>>>
>>> AFAICT this is due to the gnutls26 -> gnutls28 switch. Using libgnutls-dev to
>>> build curl instead of libgnutls28-dev makes it possible to point CURLOPT_CAINFO
>>> to a single leaf certificate and have the verification succeed.
>>>
>>> FWIW the current behaviour is the same with openssl. I don't know if there's a
>>> reason for it though.
Wild guess: a certificate may indicate, in optional extra fields, if the
signer intended it to act as CA. For example in Firefox certificate
details, these are listed under "Extensions" as "Certificate Basic
Constraints", "Certificate Key Usage" and/or "Netscape Certificate Type".
It might be that modern gnutls/openssl are actually enforcing these
fields, which would cause a single-server certificate to be considered
invalid for CA purposes. And there might possibly be some way to override
that decision.
Just my 2c,
Anne Bezemer
More information about the Pkg-gnutls-maint
mailing list