[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: gnutls fails to use Verisign CA cert without a Basic Constraint
From: |
Simon Josefsson |
Subject: |
Re: gnutls fails to use Verisign CA cert without a Basic Constraint |
Date: |
Fri, 09 Jan 2009 10:56:40 +0100 |
User-agent: |
Gnus/5.110011 (No Gnus v0.11) Emacs/22.2 (gnu/linux) |
"Douglas E. Engert" <address@hidden> writes:
> Attached are the server cert (auth2.it.anl.gov), the intermediate cert
> (f0a38a80.0)
> and the CA self signed cert (7651b327.0)
Thanks, I can reproduce the problem. Should be fixed with this patch:
http://git.savannah.gnu.org/cgit/gnutls.git/commit/
> *BUT* if one trusts both B and C, do we need to verify C?
> Why does the code arount line 265 not stop after finding that B is in the
> tcas,
> rather then looking for C, and then verifying it?
GnuTLS does not support stopping at intermediate CAs right now, see
doc/TODO:
- Chain verifications.
- Short-cut the certificate verification algorithm before the
root if a middle-CA is trusted.
Fixing this would be useful.
Thanks,
/Simon
- gnutls fails to use Verisign CA cert without a Basic Constraint, Douglas E. Engert, 2009/01/07
- Re: gnutls fails to use Verisign CA cert without a Basic Constraint, Simon Josefsson, 2009/01/08
- Re: gnutls fails to use Verisign CA cert without a Basic Constraint, Douglas E. Engert, 2009/01/09
- Re: gnutls fails to use Verisign CA cert without a Basic Constraint, Simon Josefsson, 2009/01/09
- Re: gnutls fails to use Verisign CA cert without a Basic Constraint, Daniel Kahn Gillmor, 2009/01/09
- Re: gnutls fails to use Verisign CA cert without a Basic Constraint, Simon Josefsson, 2009/01/10
- Re: gnutls fails to use Verisign CA cert without a Basic Constraint, Douglas E. Engert, 2009/01/09
- Re: gnutls fails to use Verisign CA cert without a Basic Constraint, Simon Josefsson, 2009/01/10