On Fri, 2014-10-31 at 15:00 +0100, Nikos Mavrogiannopoulos wrote:
> Sorry for my late reply, because I didn't have a good
suggestion
> earlier.
>
> We should work with the upstream OpenSSL and the GnuTLS projects, and
> motivate them to implement more advanced path building. This would be a
> long term project.
Is there some issue with gnutls in F21? As far as I understand it should
work as expected with the certificates removed.
I confirm that using GnuTLS 3.3.9-2.fc21 on Fedora 21 testing,
with ca-certificates-2014.2.1-1.3.fc21,
and ca-legacy set to disabled,
the command
gnutls-cli -p443
www.amazon.com
reports a trusted certificate.
That's great, thanks Nikos for fixing it in the newer GnuTLS on Fedora
21!
(Just for the record, using gnutls 3.1.27 on Fedora 20, and a scratch
build of the new ca-certificates package, and set to disabled, the
certificate is still rejected, which I understand is because of the
older GnuTLS version.)
If anyone can still see problems with GnuTLS and the above configuration
(disable) on Fedora 21, please let us know which site has the issue.
This means, the remaining package that needs fixing is OpenSSL.
Thanks
Kai