[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT breaks certificate verification
From: |
Nikos Mavrogiannopoulos |
Subject: |
Re: GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT breaks certificate verification |
Date: |
Tue, 30 Oct 2012 14:17:49 +0100 |
On Tue, Oct 30, 2012 at 10:04 AM, Michal Suchanek <address@hidden> wrote:
> Hello,
> when this flag is set some certificates cannot be verified.
> hermes.jabber.org sends a certificate chain laid out like
> S R I where S is the server certificate, R is root certificate, and I
> is intermediate certificate which signs S and is signed by R. R is
> known CA.
> gnutls-cli version 2.8.6, 3.0.20 and 3.0.22 cannot verify the
> certificate. gnutls-cli version 3.1.3 can.
> Upgrading gnutls to 3.1 does not enable an application to verify
> certificate unless the code setting GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT
> is disabled in the application.
The GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT is a dangerous flag and you
shouldn't use it unless you really know the consequences. In short it
means that an end-user certificate may pretend to be a CA.
Now for the issue you see. It is because you do not set the flag
GNUTLS_VERIFY_ALLOW_UNSORTED_CHAIN. If you set this flag then unsorted
chains will be sorted prior to verification. The reason you see this
failure is because this flag is enabled by default on a credentials
structure, unless it is overridden by other flags as you do.
regards,
Nikos