[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#5992) libldap with gnutls don't trust V1 CAs.

On Wed, Mar 04, 2009 at 07:01:16PM -0800, Howard Chu wrote:
> mathias.gug@canonical.com wrote:
>> Starting with GnuTLS 2.6.3, V1 CA certs are no longer trusted by default when a
>> CA chain is checked. Thus libldap+gnutls breaks in existing environement when
>> one of the CA certs uses a V1 certificate. However libldap+openssl still
>> supports V1 certificates in the CA chain.
>> See https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/305264 for more
>> information.
>> Could libldap+gnutls be updated to also support V1 CA certificates to match
>> features provided by libldap+openssl?
> Just to be clear, are you requesting that libldap unconditionally call
> gnutls_certificate_set_verify_flags() with 

Yes. The patch pushed in CVS works as expected. 

I agree that having an option to enable/disable the trust of V1 CA
certificates would be helpful.

Mathias Gug
Ubuntu Developer  http://www.ubuntu.com