curl and certificate verification in jessie

J.A. Bezemer j.a.bezemer at
Mon Dec 1 19:56:30 UTC 2014

On Mon, 1 Dec 2014, Alessandro Ghedini wrote:

> On lun, dic 01, 2014 at 11:18:19 +0100, Tollef Fog Heen wrote:
>>>> Is this intentional, or is that a bug in either gnutls, curl, or the software
>>>> using these libraries?
>>> AFAICT this is due to the gnutls26 -> gnutls28 switch. Using libgnutls-dev to
>>> build curl instead of libgnutls28-dev makes it possible to point CURLOPT_CAINFO
>>> to a single leaf certificate and have the verification succeed.
>>> FWIW the current behaviour is the same with openssl. I don't know if there's a
>>> reason for it though.

Wild guess: a certificate may indicate, in optional extra fields, if the 
signer intended it to act as CA. For example in Firefox certificate 
details, these are listed under "Extensions" as "Certificate Basic 
Constraints", "Certificate Key Usage" and/or "Netscape Certificate Type". 
It might be that modern gnutls/openssl are actually enforcing these 
fields, which would cause a single-server certificate to be considered 
invalid for CA purposes. And there might possibly be some way to override 
that decision.

Just my 2c,

Anne Bezemer

More information about the Pkg-gnutls-maint mailing list