* Simon Josefsson: > Florian Weimer <f...@deneb.enyo.de> writes: > >> Simon, could we make the harmless variant (X.509v1 certificate set as >> trusted is accepted as a root CA, but intermediate X.509v1 >> certificates aren't accepted) the default in etch?
> It may be that the practical problems are more important than the > potential security problem here, which would argue for using the patch. This seems to be the case. I would like to apply the following patch to etch and lenny. Any objections? > diff --git a/lib/gnutls_cert.c b/lib/gnutls_cert.c > index 7872f20..fe7ad22 100644 > --- a/lib/gnutls_cert.c > +++ b/lib/gnutls_cert.c > @@ -280,6 +280,7 @@ gnutls_certificate_allocate_credentials > (gnutls_certificate_credentials_t * > > (*res)->verify_bits = DEFAULT_VERIFY_BITS; > (*res)->verify_depth = DEFAULT_VERIFY_DEPTH; > + (*res)->verify_flags = GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT; > > return 0; > } -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
