gnutls-devel
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Bug#507633: libgnutls26: GnuTLS does not know VeriSign any more

From: Nikos Mavrogiannopoulos
Subject: Re: Bug#507633: libgnutls26: GnuTLS does not know VeriSign any more
Date: Wed, 10 Dec 2008 19:03:24 +0200
User-agent: Thunderbird 2.0.0.18 (X11/20081125) 
Simon Josefsson wrote:
> My approach introduced a problem with the pkcs1-padding self-test that
> uses certtool --verify-chain, and the self-test assumes that the last
> certificate is actually verified against its own public key...  so
> short-cutting the validation of trust anchors changed the semantics of
> one public interface.  Sigh.  So I have reverted my patch.
> 
> Simon Josefsson <address@hidden> writes:
> 
>> I believe that is wrong: with your patch it will fail when the CA is
>> self-signed using RSA-MD2.
> There aren't many of those around, so I think we can leave it as a
> documented bug that self-signed RSA-MD2 certificate cannot be used as a
> trust anchor.  One might see that as a feature, even. ;)
> I've aligned the self-tests with Nikos' approach.

What I don't understand is why it fails with my approach. Since I remove
the trusted certificate from the chain it shouldn't be an issue. For
example this issue does not occur any more with
hbci-pintan-rp.s-hbci.de. On which cases did you notice that?

regards,
Nikos
reply via email to
[Prev in Thread] Current Thread [Next in Thread]