* Simon Josefsson <[email protected]> [10-06-21 11:32]: > > I am wondering when the flag GNUTLS_VERIFY_DO_NOT_ALLOW_SAME should be > > used. I've seen it in use in the Wocky library[0], which is used by the > > instant messenger client empathy. [...] > I don't see any normal situation where this flag is useful. > > I'm not sure the behaviour you see is actually intended, I don't see why > it should reject the chain here. So it may be a bug... > > The flag _may_ be useful if you have a X.509 Version 1 certificate as a > trust anchor. You may want to trust a X.509v1 CA for verifying server > certificates signed by the X.509v1 CA, but you definitely do not want to > accept that certificate as the server certificate (because there are no > name restriction extensions). On the other hand, you shouldn't use > X.509v1 certificates anyway...
Just to clarify: Using GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT without GNUTLS_VERIFY_DO_NOT_ALLOW_SAME is a sane choice (if one stills needs to deal with X.509v1 certificates). -- Lars _______________________________________________ Help-gnutls mailing list [email protected] http://lists.gnu.org/mailman/listinfo/help-gnutls
