[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Help-gnutls] Re: Peer verification
|
From: |
Simon Josefsson |
|
Subject: |
[Help-gnutls] Re: Peer verification |
|
Date: |
Tue, 27 Nov 2007 14:38:12 +0100 |
|
User-agent: |
Gnus/5.110007 (No Gnus v0.7) Emacs/22.1 (gnu/linux) |
Michael Bell <address@hidden> writes:
> Nikos Mavrogiannopoulos schrieb:
>
>> In your logs I see that the certificate [1] is the root
>> certificate. This looks wrong. The chain should be [0] = server
>> certificate
>> [1] = intermediate
>> [2] = root
>
> I read RFC 2246 TLS and it looks like the certificate chain must be in
> the correct order but it looks like Apache and all clients simply
> ignore this part of the specification and create the order by
> themselves. So if GnuTLS has something like a wishlist then I would
> like to add a more tolerant behaviour because OpenSSL (and by this way
> Apache) and all the other clients simply accept this behaviour and so
> the most servers will never take care about such issues.
>
> BTW is there a FAQ or WiKi where I can document this for other users?
> I think this could be helpful because neither Apache nor OpenSSL
> s_client report/log any problems with such servers/configurations.
Try <http://trac.gnutls.org/>. Feel free to add a wiki page about this,
maybe we can organize a FAQ there as well eventually. If you want, you
could also file a wishlist ticket about this.
Unless we get more report about this problem, I don't think we should
modify GnuTLS here. It seems we follow the protocol.
/Simon