[Help-gnutls] Peer verification
Michael Bell
michael.bell at cms.hu-berlin.de
Mon Nov 26 10:17:13 CET 2007
Nikos Mavrogiannopoulos schrieb:
> On Friday 23 November 2007, Michael Bell wrote:
>> I try to get a correct validation for a https server. My problem is that
>> certtool says that everthing is find and gnutls-cli fails.
>>
>> Configuration:
>> - server cert + intermediate ca + root ca
>> - server sends only the server cert and the intermediate CA
>
> As I can see in the output you sent me the server is sending 6 certificates
> and they do not form a certificate chain. In TLS a certificate chain is
> formed by having a list where the next certificate certifies the previous.
> Thus the issuer's DN in certificate [0] should be the same as the subject's
> DN in certificate [1] and so on. So I believe it is normal for verification to
> fail.
The server must only send its own cert. Any other information like
intermediate and root CA certs are opional. The server has not to send a
complete chain. Therefore the browsers have no problem with this page
because they know the root CA cert and mostly the intermediate CA cert.
So actually I think it's a bug in GnuTLS - especially because the other
clients are able to verify the server. Nevertheless I initiated a
reconfiguration of the server (luckily we control the server).
Best regards
Michael
--
_______________________________________________________________
Michael Bell Humboldt-Universitaet zu Berlin
Tel.: +49 (0)30-2093 2482 ZE Computer- und Medienservice
Fax: +49 (0)30-2093 2704 Unter den Linden 6
michael.bell at cms.hu-berlin.de D-10099 Berlin
_______________________________________________________________
X.509 CA Certificates / Wurzelzertifikate
http://ra.pki.hu-berlin.de
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 5664 bytes
Desc: S/MIME Cryptographic Signature
URL: </pipermail/attachments/20071126/94f1cecd/attachment.bin>
More information about the Gnutls-help
mailing list