The default bug view has changed. See this FAQ.

libpkix ignores the P (trusted peer) trust flag

RESOLVED DUPLICATE of bug 647364

Status

NSS
Libraries
RESOLVED DUPLICATE of bug 647364
7 years ago
5 years ago

People

(Reporter: Wan-Teh Chang, Assigned: Wan-Teh Chang)

Tracking

3.12.4
3.13.3

Firefox Tracking Flags

(Not tracked)

Details

(Assignee)

Description

7 years ago
I created a self-signed server certificate and added it to
my NSS certificate database with the "P,," trust flags.

This allows CERT_VerifyCertNow to verify the certificate
successfully.  However, CERT_PKIXVerifyCert still fails
with the SEC_ERROR_UNKNOWN_ISSUER error (-8179).  I have
to set the "C,," trust flags to make CERT_PKIXVerifyCert
succeed, but trusting a self-signed server certificate
as a CA ('C' means "trusted CA to issue server certificates")
gives more trust to the certificate than necessary.

Comment 1

7 years ago
I'm using this for a specific domain's self signed certificate. Does anyone know if the "C" flag allows the domain to sign arbitrary other domains, like gmail.com?

Thanks,
Nicholas
Nicholas, questions like yours should be asked in mozilla.dev.tech.crypto newsgroup or dev-tech-crypto mailing list.
(Assignee)

Comment 3

5 years ago
Marked this bug as a duplicate even though this bug was filed first.
The other bug has more info.
Assignee: nobody → wtc
Status: NEW → RESOLVED
Last Resolved: 5 years ago
Resolution: --- → DUPLICATE
Target Milestone: --- → 3.13.3
Duplicate of bug: 647364
You need to log in before you can comment on or make changes to this bug.