On Sat, 20 Dec 2014 22:44:54 +0100 Lars Ingebrigtsen <larsi@gnus.org> wrote: 

LI> Ted Zlatanov <tzz@lifelogs.com> writes:
>> If I understand correctly, it seems 1) the :self-signed message and
>> symbol need to be changed, and 2) we're waiting for the GnuTLS
>> developers to tell us the best way to detect a self-signed certificate.
>> 
>> For (1) I propose using :unknown-ca and "the certificate was signed by
>> an unknown and therefore untrusted authority"

LI> Sounds good.

On Sun, 21 Dec 2014 18:16:35 +0100 David Engster <deng@randomsample.de> wrote: 

DE> Nick answered, and it's really simple: call gnutls_x509_crt_check_issuer
DE> on the certificate itself (meaning: provide the certificate in question
DE> for both arguments).

Please try the attached patch. I'm not able to test it myself because
I'm traveling, but it should be fairly trivial and addresses both
issues. Feel free to commit it with any changes you want, it's a tiny
change.

gnutls_x509_crt_check_issuer() has been in GnuTLS for all the versions
we support, so there was no need for a version check.

(there was a third issue, the expiration date was wrong, but that's not
as urgent)

Ted