Copy of note sent on 1/8/2009: Attached are the server cert (auth2.it.anl.gov), the intermediate cert (f0a38a80.0) and the CA self signed cert (7651b327.0) a debug version of verify.c and partial output of an ldapsearch using the debug.c My patch has been #if 0'ed out at line 151. Lets refer to the cert chain as A, B and C. The OpenLDAP server (using OpenSSL) sends server cert A, intermediate cert B, and CA cert C. The TLS_CACERT file has B and C. The clist_size is then 3, and the code in _gnutls_x509_verify_certificate around lines 443 drop it to 2, leaving the chain as A, B. The tcase_size is 2. _gnutls_verify_certificate2 at line 452 is called with cert B and tcas with B and C and flags 0. At line 265, find_issuer is called with B. It returns C. check_is_ca is called at line 297, which fails because there is no BasicConstraint. The if at 293 looks correct too. *BUT* if one trusts both B and C, do we need to verify C? Why does the code arount line 265 not stop after finding that B is in the tcas, rather then looking for C, and then verifying it? If I try it again with the TLS_CACERT file with only B, it also fails because it can not find the issuer of B. If the code around line 265 was modified if B was found in the tcas, this shopuld also work. Simon Josefsson wrote: > "Douglas E. Engert"