Re: [Help-gnutls] Peer verification

[Michael Bell]

Nikos Mavrogiannopoulos schrieb:
> On Friday 23 November 2007, Michael Bell wrote:

> > I try to get a correct validation for a https server. My problem is that
> > certtool says that everthing is find and gnutls-cli fails.
> >
> > Configuration:
> >    - server cert + intermediate ca + root ca
> >    - server sends only the server cert and the intermediate CA
>
> As I can see in the output you sent me the server is sending 6 certificates
> and they do not form a certificate chain. In TLS a certificate chain is
> formed by having a list where the next certificate certifies the previous.
> Thus the issuer's DN in certificate [0] should be the same as the subject's
> DN in certificate [1] and so on. So I believe it is normal for verification to 
> fail.

The server must only send its own cert. Any other information like 
intermediate and root CA certs are opional. The server has not to send a 
complete chain. Therefore the browsers have no problem with this page 
because they know the root CA cert and mostly the intermediate CA cert. 
So actually I think it's a bug in GnuTLS - especially because the other 
clients are able to verify the server. Nevertheless I initiated a 
reconfiguration of the server (luckily we control the server).

Best regards

Michael
--
_______________________________________________________________

Michael Bell                    Humboldt-Universitaet zu Berlin

Tel.: +49 (0)30-2093 2482       ZE Computer- und Medienservice
Fax:  +49 (0)30-2093 2704       Unter den Linden 6
address@hidden   D-10099 Berlin
_______________________________________________________________

X.509 CA Certificates / Wurzelzertifikate

http://ra.pki.hu-berlin.de

smime.p7s
Description: S/MIME Cryptographic Signature