[Help-gnutls] Peer verification
michael.bell at cms.hu-berlin.de
Mon Nov 26 10:17:13 CET 2007
Nikos Mavrogiannopoulos schrieb:
> On Friday 23 November 2007, Michael Bell wrote:
>> I try to get a correct validation for a https server. My problem is that
>> certtool says that everthing is find and gnutls-cli fails.
>> - server cert + intermediate ca + root ca
>> - server sends only the server cert and the intermediate CA
> As I can see in the output you sent me the server is sending 6 certificates
> and they do not form a certificate chain. In TLS a certificate chain is
> formed by having a list where the next certificate certifies the previous.
> Thus the issuer's DN in certificate  should be the same as the subject's
> DN in certificate  and so on. So I believe it is normal for verification to
The server must only send its own cert. Any other information like
intermediate and root CA certs are opional. The server has not to send a
complete chain. Therefore the browsers have no problem with this page
because they know the root CA cert and mostly the intermediate CA cert.
So actually I think it's a bug in GnuTLS - especially because the other
clients are able to verify the server. Nevertheless I initiated a
reconfiguration of the server (luckily we control the server).
Michael Bell Humboldt-Universitaet zu Berlin
Tel.: +49 (0)30-2093 2482 ZE Computer- und Medienservice
Fax: +49 (0)30-2093 2704 Unter den Linden 6
michael.bell at cms.hu-berlin.de D-10099 Berlin
X.509 CA Certificates / Wurzelzertifikate
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 5664 bytes
Desc: S/MIME Cryptographic Signature
More information about the Gnutls-help