[Help-gnutls] Re: Peer verification
simon at josefsson.org
Tue Nov 27 14:38:12 CET 2007
Michael Bell <michael.bell at cms.hu-berlin.de> writes:
> Nikos Mavrogiannopoulos schrieb:
>> In your logs I see that the certificate  is the root
>> certificate. This looks wrong. The chain should be  = server
>>  = intermediate
>>  = root
> I read RFC 2246 TLS and it looks like the certificate chain must be in
> the correct order but it looks like Apache and all clients simply
> ignore this part of the specification and create the order by
> themselves. So if GnuTLS has something like a wishlist then I would
> like to add a more tolerant behaviour because OpenSSL (and by this way
> Apache) and all the other clients simply accept this behaviour and so
> the most servers will never take care about such issues.
> BTW is there a FAQ or WiKi where I can document this for other users?
> I think this could be helpful because neither Apache nor OpenSSL
> s_client report/log any problems with such servers/configurations.
Try <http://trac.gnutls.org/>. Feel free to add a wiki page about this,
maybe we can organize a FAQ there as well eventually. If you want, you
could also file a wishlist ticket about this.
Unless we get more report about this problem, I don't think we should
modify GnuTLS here. It seems we follow the protocol.
More information about the Gnutls-help