[Help-gnutls] Peer verification
Michael Bell
michael.bell at cms.hu-berlin.de
Tue Nov 27 11:22:09 CET 2007
Nikos Mavrogiannopoulos schrieb:
> In your logs I see that the certificate [1] is the root certificate. This
> looks wrong. The chain should be [0] = server certificate
> [1] = intermediate
> [2] = root
I read RFC 2246 TLS and it looks like the certificate chain must be in
the correct order but it looks like Apache and all clients simply ignore
this part of the specification and create the order by themselves. So if
GnuTLS has something like a wishlist then I would like to add a more
tolerant behaviour because OpenSSL (and by this way Apache) and all the
other clients simply accept this behaviour and so the most servers will
never take care about such issues.
BTW is there a FAQ or WiKi where I can document this for other users? I
think this could be helpful because neither Apache nor OpenSSL s_client
report/log any problems with such servers/configurations.
Sorry for the trouble
Michael
--
_______________________________________________________________
Michael Bell Humboldt-Universitaet zu Berlin
Tel.: +49 (0)30-2093 2482 ZE Computer- und Medienservice
Fax: +49 (0)30-2093 2704 Unter den Linden 6
michael.bell at cms.hu-berlin.de D-10099 Berlin
_______________________________________________________________
X.509 CA Certificates / Wurzelzertifikate
http://ra.pki.hu-berlin.de
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 5664 bytes
Desc: S/MIME Cryptographic Signature
URL: </pipermail/attachments/20071127/c44db2c9/attachment.bin>
More information about the Gnutls-help
mailing list