Bug#514807: Regression in libgnutls security update
Florian Weimer
fw at deneb.enyo.de
Tue Feb 24 19:54:11 UTC 2009
* Simon Josefsson:
> Florian Weimer <fw at deneb.enyo.de> writes:
>
>> Simon, could we make the harmless variant (X.509v1 certificate set as
>> trusted is accepted as a root CA, but intermediate X.509v1
>> certificates aren't accepted) the default in etch?
> It may be that the practical problems are more important than the
> potential security problem here, which would argue for using the patch.
This seems to be the case.
I would like to apply the following patch to etch and lenny. Any
objections?
> diff --git a/lib/gnutls_cert.c b/lib/gnutls_cert.c
> index 7872f20..fe7ad22 100644
> --- a/lib/gnutls_cert.c
> +++ b/lib/gnutls_cert.c
> @@ -280,6 +280,7 @@ gnutls_certificate_allocate_credentials (gnutls_certificate_credentials_t *
>
> (*res)->verify_bits = DEFAULT_VERIFY_BITS;
> (*res)->verify_depth = DEFAULT_VERIFY_DEPTH;
> + (*res)->verify_flags = GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT;
>
> return 0;
> }
More information about the Pkg-gnutls-maint
mailing list