[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT breaks certificate verification
From: |
Nikos Mavrogiannopoulos |
Subject: |
Re: GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT breaks certificate verification |
Date: |
Tue, 30 Oct 2012 14:22:02 +0100 |
On Tue, Oct 30, 2012 at 2:17 PM, Nikos Mavrogiannopoulos
<address@hidden> wrote:
> The GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT is a dangerous flag and you
> shouldn't use it unless you really know the consequences. In short it
> means that an end-user certificate may pretend to be a CA.
Sorry, my comments were for the GNUTLS_VERIFY_ALLOW_ANY_X509_V1_CA_CRT
flag which you don't use. The flag GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT
is enabled by default so you don't have to set it.
regards,
Nikos