information. This avoids code duplication.
** gnutls-cli: No longer accepts V1 CAs by default.
+Use --priority NORMAL:%VERIFY_ALLOW_X509_V1_CA_CRT to permit V1 CAs to
+be used for chain verification.
+
+** libgnutls: New priority strings %VERIFY_ALLOW_SIGN_RSA_MD5
+** and %VERIFY_ALLOW_X509_V1_CA_CRT.
+They can be used to override the default certificate chain validation
+behaviour.
** libgnutls: gnutls_x509_crt_print prints signature algorithm in oneline mode.
/* to disable record padding */
int no_padding;
+ int additional_verify_flags;
};
/*
- * Copyright (C) 2004, 2005, 2006, 2007 Free Software Foundation
+ * Copyright (C) 2004, 2005, 2006, 2007, 2008, 2009 Free Software Foundation
*
* Author: Nikos Mavrogiannopoulos
*
* '!' or '-' appended with an algorithm will remove this algorithm.
* '+' appended with an algorithm will add this algorithm.
* '%COMPAT' will enable compatibility features for a server.
+ * '%VERIFY_ALLOW_SIGN_RSA_MD5' will allow RSA-MD5 signatures in
+ * certificate chains.
+ * '%VERIFY_ALLOW_X509_V1_CA_CRT' will allow V1 CAs in chains.
*
* To avoid collisions in order to specify a compression algorithm in
* this string you have to prefix it with "COMP-", protocol versions
{
if (strcasecmp (&broken_list[i][1], "COMPAT") == 0)
(*priority_cache)->no_padding = 1;
+ else if (strcasecmp (&broken_list[i][1],
+ "VERIFY_ALLOW_SIGN_RSA_MD5") == 0)
+ (*priority_cache)->additional_verify_flags |=
+ GNUTLS_VERIFY_ALLOW_SIGN_RSA_MD5;
+ else if (strcasecmp (&broken_list[i][1],
+ "VERIFY_ALLOW_X509_V1_CA_CRT") == 0)
+ (*priority_cache)->additional_verify_flags |=
+ GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT;
else
goto error;
}
/*
- * Copyright (C) 2002, 2003, 2004, 2005, 2006, 2007, 2008 Free Software Foundation
+ * Copyright (C) 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009 Free Software Foundation
*
* Author: Nikos Mavrogiannopoulos
*
/* Verify certificate
*/
- ret =
- gnutls_x509_crt_list_verify (peer_certificate_list,
- peer_certificate_list_size,
- cred->x509_ca_list, cred->x509_ncas,
- cred->x509_crl_list, cred->x509_ncrls,
- cred->verify_flags, status);
+ ret = gnutls_x509_crt_list_verify (peer_certificate_list,
+ peer_certificate_list_size,
+ cred->x509_ca_list, cred->x509_ncas,
+ cred->x509_crl_list, cred->x509_ncrls,
+ cred->verify_flags | session->internals.priorities.additional_verify_flags,
+ status);
CLEAR_CERTS;