Simon Josefsson <si...@josefsson.org> writes: > The reason gnutls-cli doesn't complain is because it contains this code: > > /* there are some CAs that have a v1 certificate *%&@#*%& > */ > gnutls_certificate_set_verify_flags (xcred, > GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT); > > I don't recommend doing the same in other applications, and we should > probably remove it from gnutls-cli too. It may be useful to create a > parameter in other tools to enable the flag on a per-case basis, though.
FWIW, I've worked on this in the gnutls 2.7.x branch. gnutls-cli no longer accepts V1 CAs by default, and there is a new --priority token %VERIFY_ALLOW_X509_V1_CA_CRT to enable it for those that needs it. The priority string approach is what we recommend applications expose to their users for configuring GnuTLS internal details. /Simon -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org