[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Help-gnutls] Peer verification
|
From: |
Michael Bell |
|
Subject: |
Re: [Help-gnutls] Peer verification |
|
Date: |
Tue, 27 Nov 2007 11:22:09 +0100 |
|
User-agent: |
Thunderbird 2.0.0.9 (X11/20071031) |
Nikos Mavrogiannopoulos schrieb:
In your logs I see that the certificate [1] is the root certificate. This
looks wrong. The chain should be [0] = server certificate
[1] = intermediate
[2] = root
I read RFC 2246 TLS and it looks like the certificate chain must be in
the correct order but it looks like Apache and all clients simply ignore
this part of the specification and create the order by themselves. So if
GnuTLS has something like a wishlist then I would like to add a more
tolerant behaviour because OpenSSL (and by this way Apache) and all the
other clients simply accept this behaviour and so the most servers will
never take care about such issues.
BTW is there a FAQ or WiKi where I can document this for other users? I
think this could be helpful because neither Apache nor OpenSSL s_client
report/log any problems with such servers/configurations.
Sorry for the trouble
Michael
--
_______________________________________________________________
Michael Bell Humboldt-Universitaet zu Berlin
Tel.: +49 (0)30-2093 2482 ZE Computer- und Medienservice
Fax: +49 (0)30-2093 2704 Unter den Linden 6
address@hidden D-10099 Berlin
_______________________________________________________________
X.509 CA Certificates / Wurzelzertifikate
http://ra.pki.hu-berlin.de
smime.p7s
Description: S/MIME Cryptographic Signature