Florian Weimer <[email protected]> writes: > * Simon Josefsson: > >> Florian Weimer <[email protected]> writes: >> >>> Simon, could we make the harmless variant (X.509v1 certificate set as >>> trusted is accepted as a root CA, but intermediate X.509v1 >>> certificates aren't accepted) the default in etch? > >> It may be that the practical problems are more important than the >> potential security problem here, which would argue for using the patch. > > This seems to be the case. > > I would like to apply the following patch to etch and lenny. Any > objections?
No, but please try to make sure documentation is clear about what this modification means for users and developers, since you are deviating from upstream code. The GnuTLS manual will not be consistent with the behaviour people will see with GnuTLS on Debian. Maybe README.Debian or similar is a good place to put this information in? NEWS.Debian? changelog.Debian? Or all of them. Maybe point to a wiki page, that will allow us to provide more information to users in the future. /Simon >> diff --git a/lib/gnutls_cert.c b/lib/gnutls_cert.c >> index 7872f20..fe7ad22 100644 >> --- a/lib/gnutls_cert.c >> +++ b/lib/gnutls_cert.c >> @@ -280,6 +280,7 @@ gnutls_certificate_allocate_credentials >> (gnutls_certificate_credentials_t * >> >> (*res)->verify_bits = DEFAULT_VERIFY_BITS; >> (*res)->verify_depth = DEFAULT_VERIFY_DEPTH; >> + (*res)->verify_flags = GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT; >> >> return 0; >> } -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected]
