[Bug 28643] Use of GNUTLS_VERIFY_DO_NOT_ALLOW_SAME prevents connection with CAcert.org signed certificates
bugzilla-daemon at freedesktop.org
bugzilla-daemon at freedesktop.org
Mon Jun 21 22:33:13 CEST 2010
https://bugs.freedesktop.org/show_bug.cgi?id=28643
--- Comment #1 from Lars Noschinski <cebewee at gmx.de> 2010-06-21 13:33:13 PDT ---
There was additional discussion[0] and the solution is now less clear to me. A
fix changing the behaviour of GNUTLS_VERIFY_DO_NOT_ALLOW_SAME was committed to
the gnutls repository.
But to quote one of the gnutls developers, using the flag is quite sensible:
| The GNUTLS_VERIFY_DO_NOT_ALLOW_SAME is a flag, to make the trusted
| certificate list, a list that can only certify other keys. That is it
| will not allow a certificate from this list to be used as a server
| certificate. So how it works it depends on your usage of this list. If
| you add end server certificates there maybe
| GNUTLS_VERIFY_DO_NOT_ALLOW_SAME is not a good option for you. But for
| other uses it is quite sensible.
So, whether this flag should be set depends on whether _server_ certificates
are expected in the certificate store. This will probably be the case if a GUI
for certificate handling exists in Empathy?
[0] http://thread.gmane.org/gmane.network.gnutls.general/2037
--
Configure bugmail: https://bugs.freedesktop.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the QA contact for the bug.
You are the assignee for the bug.
More information about the telepathy-bugs
mailing list