On Wed, Mar 04, 2009 at 07:01:16PM -0800, Howard Chu wrote:

mathias.gug@canonical.com wrote:

...

Starting with GnuTLS 2.6.3, V1 CA certs are no longer trusted by default when a CA chain is checked. Thus libldap+gnutls breaks in existing environement when one of the CA certs uses a V1 certificate. However libldap+openssl still supports V1 certificates in the CA chain.

See https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/305264 for more information.

Could libldap+gnutls be updated to also support V1 CA certificates to match features provided by libldap+openssl?

Just to be clear, are you requesting that libldap unconditionally call gnutls_certificate_set_verify_flags() with GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT parameter?

Yes. The patch pushed in CVS works as expected.

I agree that having an option to enable/disable the trust of V1 CA certificates would be helpful.