a...@gedanken.demon.co.uk (Andrew M. Bishop) writes: > Simon Josefsson <si...@josefsson.org> writes: > >> a...@gedanken.demon.co.uk (Andrew M. Bishop) writes: >> >>> One thing that I noticed during the debugging of this problem is that >>> the newly created certificates (above) are described by certtool as >>> "Version: 3" but the WWWOFFLE ones are "Version: 1". >> >> V1 CA certs should be permitted in latest GnuTLS, but it was disabled >> during some releases. I suspect this is not well tested, V1 certs are >> rare, so there could be some bug. Could you enable certification >> validation logging somehow? Or run gnutls-cli/gnutls-serv with logging >> enabled. > > Changing the version of the certificate is as simple as changing the > argument to the gnutls_x509_crt_set_version() function isn't it? > > Is there any reason that I shouldn't just change this so that new > certificates are generated as V3 while old ones remain V1? If there > is no problem with a system using a mixture of the two certificate > versions then this would give some future-proofing against gnutls > changes wouldn't it?
New certs should definitely be V3 certs! There is no reason to use V1 certs unless you are dealing with some already existing legacy V1 CA certs. /Simon -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org