On 30 October 2012 14:17, Nikos Mavrogiannopoulos <[email protected]> wrote: > On Tue, Oct 30, 2012 at 10:04 AM, Michal Suchanek <[email protected]> wrote: >> Hello, >> when this flag is set some certificates cannot be verified. >> hermes.jabber.org sends a certificate chain laid out like >> S R I where S is the server certificate, R is root certificate, and I >> is intermediate certificate which signs S and is signed by R. R is >> known CA. >> gnutls-cli version 2.8.6, 3.0.20 and 3.0.22 cannot verify the >> certificate. gnutls-cli version 3.1.3 can. >> Upgrading gnutls to 3.1 does not enable an application to verify >> certificate unless the code setting GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT >> is disabled in the application.
> Now for the issue you see. It is because you do not set the flag > GNUTLS_VERIFY_ALLOW_UNSORTED_CHAIN. If you set this flag then unsorted > chains will be sorted prior to verification. The reason you see this > failure is because this flag is enabled by default on a credentials > structure, unless it is overridden by other flags as you do. So all the examples using gnutls_certificate_set_verify_flags are bogus because they replace the defualt flags and break the verification. Also there is no get_verify_flags afaict so you can't update the flags in any sane way. Thanks Michal _______________________________________________ Help-gnutls mailing list [email protected] https://lists.gnu.org/mailman/listinfo/help-gnutls
