[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [SCM] GNU gnutls branch, gnutls_2_10_x, updated. gnutls_2_10_0-9-g30
From: |
Andreas Metzler |
Subject: |
Re: [SCM] GNU gnutls branch, gnutls_2_10_x, updated. gnutls_2_10_0-9-g301635a |
Date: |
Mon, 22 Nov 2010 18:59:12 +0100 |
User-agent: |
Mutt/1.5.20 (2009-06-14) |
On 2010-11-22 Nikos Mavrogiannopoulos <address@hidden> wrote:
> On 11/20/2010 03:53 PM, Andreas Metzler wrote:
> >> There is no practical problem with having V1 root CAs, the problem is
> >> with the intermediate (untrusted) and this flag allows only root CAs. If
> >> disabled it fails to verify a large fraction of any root CA list. A flag
> >> that would disallow them would offer the functionality you say, but I
> >> don't think it should be the default (not today with this large set of
> >> V1 CAs at least).
> > [...]
> >
> > Hello,
> > I have stumbled upon gnutls-cli's changed behavior today and could not
> > find anything in NEWS or Changelog about a policy change. If this
> > stays in, please document it. (simple patch attached, perhaps the manpage
> > should say so, too.)
> There is a note at:
> * Version 2.10.1 (released 2010-07-25)
> [...]
> ** gnutls-cli: Allow verification using V1 CAs.
Hello,
isn't "allow" too weak? Even 2.8.6 can do this with the correct
options. (--priority NORMAL:%VERIFY_ALLOW_X509_V1_CA_CRT)
> > Also I think different default values in gnutls-the-library and
> > gnutls-cli are confusing. ("My gnutls using app has problem x" -
> > "Please try to reproduce with gnutls-cli" - "Cannot.") Either
> > GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT is a more sensible default value
> > (AFAIK OpenSSL is using it, and about 50% of all TLS certificates are
> > signed by V1 CAs, e.g. Go Daddy.) or not. If
> > GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT is truely evil gnutls-cli should
> > not use it by default.
> Unfortunately this is the API since quite long to be changed.
> Applications are to set the required for verification flags. A way to
> solve this would be to make a higher level verification procedure
> (functionality). It is not on my immediate plans though.
Actually the implemented API has changed in the no too distant past,
versions before 2.4.3 accepted V1 CA certs.
cu andreas
--
`What a good friend you are to him, Dr. Maturin. His other friends are
so grateful to you.'
`I sew his ears on from time to time, sure'
- Re: [SCM] GNU gnutls branch, gnutls_2_10_x, updated. gnutls_2_10_0-9-g301635a, Andreas Metzler, 2010/11/20
- Re: [SCM] GNU gnutls branch, gnutls_2_10_x, updated. gnutls_2_10_0-9-g301635a, Andreas Metzler, 2010/11/20
- Re: [SCM] GNU gnutls branch, gnutls_2_10_x, updated. gnutls_2_10_0-9-g301635a, Nikos Mavrogiannopoulos, 2010/11/22
- Re: [SCM] GNU gnutls branch, gnutls_2_10_x, updated. gnutls_2_10_0-9-g301635a,
Andreas Metzler <=