[Help-gnutls] Re: Peer verification

Simon Josefsson simon at josefsson.org
Tue Nov 27 14:38:12 CET 2007

Michael Bell <michael.bell at cms.hu-berlin.de> writes:

> Nikos Mavrogiannopoulos schrieb:
>> In your logs I see that the certificate [1] is the root
>> certificate. This looks wrong. The chain should be [0] = server
>> certificate
>> [1] = intermediate
>> [2] = root
> I read RFC 2246 TLS and it looks like the certificate chain must be in
> the correct order but it looks like Apache and all clients simply
> ignore this part of the specification and create the order by
> themselves. So if GnuTLS has something like a wishlist then I would
> like to add a more tolerant behaviour because OpenSSL (and by this way
> Apache) and all the other clients simply accept this behaviour and so
> the most servers will never take care about such issues.
> BTW is there a FAQ or WiKi where I can document this for other users?
> I think this could be helpful because neither Apache nor OpenSSL
> s_client report/log any problems with such servers/configurations.

Try <http://trac.gnutls.org/>.  Feel free to add a wiki page about this,
maybe we can organize a FAQ there as well eventually.  If you want, you
could also file a wishlist ticket about this.

Unless we get more report about this problem, I don't think we should
modify GnuTLS here.  It seems we follow the protocol.


More information about the Gnutls-help mailing list