On Mon, 1 Dec 2014, Alessandro Ghedini wrote:
On lun, dic 01, 2014 at 11:18:19 +0100, Tollef Fog Heen wrote:
Is this intentional, or is that a bug in either gnutls, curl, or the software
using these libraries?
AFAICT this is due to the gnutls26 -> gnutls28 switch. Using libgnutls-dev to
build curl instead of libgnutls28-dev makes it possible to point CURLOPT_CAINFO
to a single leaf certificate and have the verification succeed.
FWIW the current behaviour is the same with openssl. I don't know if there's a
reason for it though.
Wild guess: a certificate may indicate, in optional extra fields, if the
signer intended it to act as CA. For example in Firefox certificate
details, these are listed under "Extensions" as "Certificate Basic
Constraints", "Certificate Key Usage" and/or "Netscape Certificate Type".
It might be that modern gnutls/openssl are actually enforcing these
fields, which would cause a single-server certificate to be considered
invalid for CA purposes. And there might possibly be some way to override
that decision.
Just my 2c,
Anne Bezemer
--
To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive:
https://lists.debian.org/pine.lnx.4.64.1412012029400....@wormhole.robuust.nl
