[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: (ITS#5992) libldap with gnutls don't trust V1 CAs.
On Wed, Mar 04, 2009 at 07:01:16PM -0800, Howard Chu wrote:
> mathias.gug@canonical.com wrote:
>> Starting with GnuTLS 2.6.3, V1 CA certs are no longer trusted by default when a
>> CA chain is checked. Thus libldap+gnutls breaks in existing environement when
>> one of the CA certs uses a V1 certificate. However libldap+openssl still
>> supports V1 certificates in the CA chain.
>>
>> See https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/305264 for more
>> information.
>>
>> Could libldap+gnutls be updated to also support V1 CA certificates to match
>> features provided by libldap+openssl?
>
> Just to be clear, are you requesting that libldap unconditionally call
> gnutls_certificate_set_verify_flags() with
> GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT parameter?
Yes. The patch pushed in CVS works as expected.
I agree that having an option to enable/disable the trust of V1 CA
certificates would be helpful.
--
Mathias Gug
Ubuntu Developer http://www.ubuntu.com