[Help-gnutls] Peer verification

Nikos Mavrogiannopoulos nmav at gnutls.org
Mon Nov 26 13:14:41 CET 2007

On Nov 26, 2007 11:17 AM, Michael Bell <michael.bell at cms.hu-berlin.de> wrote:
> Nikos Mavrogiannopoulos schrieb:
> > On Friday 23 November 2007, Michael Bell wrote:
> >> I try to get a correct validation for a https server. My problem is that
> >> certtool says that everthing is find and gnutls-cli fails.
> >>
> >> Configuration:
> >>    - server cert + intermediate ca + root ca
> >>    - server sends only the server cert and the intermediate CA
> >
> > As I can see in the output you sent me the server is sending 6 certificates
> > and they do not form a certificate chain. In TLS a certificate chain is
> > formed by having a list where the next certificate certifies the previous.
> > Thus the issuer's DN in certificate [0] should be the same as the subject's
> > DN in certificate [1] and so on. So I believe it is normal for verification to
> > fail.
> The server must only send its own cert. Any other information like
> intermediate and root CA certs are opional. The server has not to send a
> complete chain.

According to which protocol? In TLS the server has to either send his
certificate, or
his certificate and a complete chain (see section 7.4.2 of RFC2246).

> So actually I think it's a bug in GnuTLS - especially because the other
> clients are able to verify the server. Nevertheless I initiated a
> reconfiguration of the server (luckily we control the server).

This doesn't seem to be a gnutls issue. It looks like a server misconfiguration.


More information about the Gnutls-help mailing list