Re: [SECURITY] [DSA 1719-1] New gnutls13 packages fix certificate validation

[Florian Weimer <fw@deneb.enyo.de>]

* Nicolas Boullis:

>> You could try if recompiling gnutls13 with this patch
>> 
>> <http://bugs.debian.org/cgi-bin/bugreport.cgi?msg=97;bug=514807>
>> 
>> enables your setup to work.
>
> I just built it; it seems to work fine.

Thanks.

>> However, it is unlikely that we will
>> apply a similar change to lenny.  (For etch, the best approach is
>> still somewhat unclear.  But it's either changing gnutls13 in this
>> way, or keeping the current behavior; modifying all applications is
>> out of the question.)
>
> What's the problem with this patch?

The usual problem with X.509v1 certificates: if you add something to
the certificate store, assuming it's a server certificate, it turns
into a CA certificate.  This might be a problem in some cases.