curl and certificate verification in jessie

Ian Jackson ijackson at
Thu Dec 4 18:48:57 UTC 2014

Daniel Kahn Gillmor writes ("Re: curl and certificate verification in jessie"):
> So, the idea is that when you "accept" an EE cert, you need to do it
> with an explicit associate to a specific peer's name, not just the cert
> itself.  newer versions of GnuTLS provide this facility, but it's not
> the traditional (and potentially dangerous) "here's a package of certs
> i'm OK with" interface that it was before.  And of course that interface
> isn't used by curl yet.

How about the following change to GnuTLS: if _all_ of the supplied
certificates are EE certificates (eg, have the critical CA constraint
set to false), we disable this check ?

In that situation it is clear that the caller is not trying to use the
X.509 CA infrastructure at all and has been `abusing' the CA interface
to provide the expected public keys directly.


More information about the Pkg-gnutls-maint mailing list