[gnutls-devel] [PATCH] Tolerate unsorted certificate chains in GnuTLS 2.12.23
mancha1 at hush.com
Fri Jul 26 23:23:02 CEST 2013
Per RFC 5246: "The sender's certificate MUST come first in the
list. Each following certificate MUST directly
certify the one preceding it."
Unfortunately, many TLS servers provide their certificate chains
out of order, violating RFC. GnuTLS 3.0.x+ now tolerates
out-of-order certificate chains by default. Attached patch
backports similar logic to GnuTLS 2.12.x.
I post it for the benefit of others with systems staying on the
2.12.x branch who might find this enhancement valuable. Also,
so other sets of eyes might take a quick look and make sure I
didn't do anything too unruly. Comments welcome.
P.S. A little bit of irony....
$ gnutls-cli lists.gnutls.org
[Boring stuff skipped]
- The hostname in the certificate does NOT match 'lists.gnutls.org'
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 4320 bytes
Desc: not available
More information about the Gnutls-devel