Simon Brown wrote: > Hi, > I use the Wanderlust email client and the Debian packager, Tatsuya has > recently changed to using GNU TLS from OpenSSL. This has caused a > problem for me as an IMAP server I use seems to have a certificate > problem which either didn't exist before or was ignored by OpenSSL. > The instructions to help diagnose the problem given by Tatsuya the > packager are shown below with the output. The server's administrators > claim there is not a problem as Thunderbird on Win32 has no > problem. Thunderbird does not include the Educational certificate in > its root store
It seems that the program you are using should set the verification flag to allow X.509 V.1 certificates. This is done with the gnutls_certificate_set_verify_flags(xcred, GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT); call. For some reason it wasn't default in gnutls-cli as well. I've set it now. > I have worked around the problem by adding the intermediate > certificate to my local store. I would none the less be very grateful > for any help in locating the cause of the problem. By default we disable version 1 certificates since it is not possible to distinguish CA certificates from end-user (server) certificates. If one is sure that his trusted certificate storage only contains CA certificates, then this flag should be specified. regards, Nikos _______________________________________________ Help-gnutls mailing list [email protected] http://lists.gnu.org/mailman/listinfo/help-gnutls
