Bug 28643 - Use of GNUTLS_VERIFY_DO_NOT_ALLOW_SAME prevents connection with CAcert.org signed certificates
Summary: Use of GNUTLS_VERIFY_DO_NOT_ALLOW_SAME prevents connection with CAcert.org si...
Status: RESOLVED FIXED
Alias: None
Product: Wocky
Classification: Unclassified
Component: General (show other bugs)
Version: unspecified
Hardware: Other Linux (All)
: medium normal
Assignee: Telepathy bugs list
QA Contact: Telepathy bugs list
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2010-06-21 03:45 UTC by Lars Noschinski
Modified: 2010-06-22 11:11 UTC (History)
0 users

See Also:
i915 platform:
i915 features:

Attachments

Description Lars Noschinski 2010-06-21 03:45:20 UTC 
If using the WOCKY_TLS_VERIFY_NORMAL level, wocky sets the flag "GNUTLS_VERIFY_DO_NOT_ALLOW_SAME". This prevents connecting to servers (e.g. jabberd.jabber.ccc.de) with a certificate signed by CAcert.org, with error GNUTLS_CERT_INSECURE_ALGORITHM; even if both root and class3 certificates[0]
are installed. Removing this flags yields a successful connection.

I asked on the gnutls mailing list about this flag and using this flag seems useless here[1].

So I suggest removing it.


[0] http://www.cacert.org/index.php?id=3
[1] http://thread.gmane.org/gmane.network.gnutls.general/2037
Comment 1 Lars Noschinski 2010-06-21 13:33:13 UTC 
There was additional discussion[0] and the solution is now less clear to me. A fix changing the behaviour of GNUTLS_VERIFY_DO_NOT_ALLOW_SAME was committed to the gnutls repository.

But to quote one of the gnutls developers, using the flag is quite sensible:

| The GNUTLS_VERIFY_DO_NOT_ALLOW_SAME is a flag, to make the trusted
| certificate list, a list that can only certify other keys. That is it
| will not allow a certificate from this list to be used as a server
| certificate. So how it works it depends on your usage of this list. If
| you add end server certificates there maybe
| GNUTLS_VERIFY_DO_NOT_ALLOW_SAME is not a good option for you. But for
| other uses it is quite sensible.

So, whether this flag should be set depends on whether _server_ certificates are expected in the certificate store. This will probably be the case if a GUI for certificate handling exists in Empathy?

[0] http://thread.gmane.org/gmane.network.gnutls.general/2037
Comment 2 Simon McVittie 2010-06-22 11:11:37 UTC 
Fixed in git, and in the snapshot in Gabble 0.9.14. Thanks for your patch!

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.