On Tue, Oct 30, 2012 at 10:04 AM, Michal Suchanek <[email protected]> wrote: > Hello, > when this flag is set some certificates cannot be verified. > hermes.jabber.org sends a certificate chain laid out like > S R I where S is the server certificate, R is root certificate, and I > is intermediate certificate which signs S and is signed by R. R is > known CA. > gnutls-cli version 2.8.6, 3.0.20 and 3.0.22 cannot verify the > certificate. gnutls-cli version 3.1.3 can. > Upgrading gnutls to 3.1 does not enable an application to verify > certificate unless the code setting GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT > is disabled in the application.
The GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT is a dangerous flag and you shouldn't use it unless you really know the consequences. In short it means that an end-user certificate may pretend to be a CA. Now for the issue you see. It is because you do not set the flag GNUTLS_VERIFY_ALLOW_UNSORTED_CHAIN. If you set this flag then unsorted chains will be sorted prior to verification. The reason you see this failure is because this flag is enabled by default on a credentials structure, unless it is overridden by other flags as you do. regards, Nikos _______________________________________________ Help-gnutls mailing list [email protected] https://lists.gnu.org/mailman/listinfo/help-gnutls
