[Help-gnutls] Peer verification

Michael Bell michael.bell at cms.hu-berlin.de
Tue Nov 27 11:22:09 CET 2007

Nikos Mavrogiannopoulos schrieb:

> In your logs I see that the certificate [1] is the root certificate. This 
> looks wrong. The chain should be [0] = server certificate
> [1] = intermediate
> [2] = root

I read RFC 2246 TLS and it looks like the certificate chain must be in 
the correct order but it looks like Apache and all clients simply ignore 
this part of the specification and create the order by themselves. So if 
GnuTLS has something like a wishlist then I would like to add a more 
tolerant behaviour because OpenSSL (and by this way Apache) and all the 
other clients simply accept this behaviour and so the most servers will 
never take care about such issues.

BTW is there a FAQ or WiKi where I can document this for other users? I 
think this could be helpful because neither Apache nor OpenSSL s_client 
report/log any problems with such servers/configurations.

Sorry for the trouble


Michael Bell                    Humboldt-Universitaet zu Berlin

Tel.: +49 (0)30-2093 2482       ZE Computer- und Medienservice
Fax:  +49 (0)30-2093 2704       Unter den Linden 6
michael.bell at cms.hu-berlin.de   D-10099 Berlin

X.509 CA Certificates / Wurzelzertifikate

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 5664 bytes
Desc: S/MIME Cryptographic Signature
URL: </pipermail/attachments/20071127/c44db2c9/attachment.bin>

More information about the Gnutls-help mailing list