[Help-gnutls] Peer verification

Michael Bell michael.bell at cms.hu-berlin.de
Mon Nov 26 10:17:13 CET 2007

Nikos Mavrogiannopoulos schrieb:
> On Friday 23 November 2007, Michael Bell wrote:

>> I try to get a correct validation for a https server. My problem is that
>> certtool says that everthing is find and gnutls-cli fails.
>> Configuration:
>>    - server cert + intermediate ca + root ca
>>    - server sends only the server cert and the intermediate CA
> As I can see in the output you sent me the server is sending 6 certificates
> and they do not form a certificate chain. In TLS a certificate chain is
> formed by having a list where the next certificate certifies the previous.
> Thus the issuer's DN in certificate [0] should be the same as the subject's
> DN in certificate [1] and so on. So I believe it is normal for verification to 
> fail.

The server must only send its own cert. Any other information like 
intermediate and root CA certs are opional. The server has not to send a 
complete chain. Therefore the browsers have no problem with this page 
because they know the root CA cert and mostly the intermediate CA cert. 
So actually I think it's a bug in GnuTLS - especially because the other 
clients are able to verify the server. Nevertheless I initiated a 
reconfiguration of the server (luckily we control the server).

Best regards


Michael Bell                    Humboldt-Universitaet zu Berlin

Tel.: +49 (0)30-2093 2482       ZE Computer- und Medienservice
Fax:  +49 (0)30-2093 2704       Unter den Linden 6
michael.bell at cms.hu-berlin.de   D-10099 Berlin

X.509 CA Certificates / Wurzelzertifikate

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 5664 bytes
Desc: S/MIME Cryptographic Signature
URL: </pipermail/attachments/20071126/94f1cecd/attachment.bin>

More information about the Gnutls-help mailing list