[Help-gnutls] Re: Peer verification
Simon Josefsson
simon at josefsson.org
Tue Nov 27 14:38:12 CET 2007
Michael Bell <michael.bell at cms.hu-berlin.de> writes:
> Nikos Mavrogiannopoulos schrieb:
>
>> In your logs I see that the certificate [1] is the root
>> certificate. This looks wrong. The chain should be [0] = server
>> certificate
>> [1] = intermediate
>> [2] = root
>
> I read RFC 2246 TLS and it looks like the certificate chain must be in
> the correct order but it looks like Apache and all clients simply
> ignore this part of the specification and create the order by
> themselves. So if GnuTLS has something like a wishlist then I would
> like to add a more tolerant behaviour because OpenSSL (and by this way
> Apache) and all the other clients simply accept this behaviour and so
> the most servers will never take care about such issues.
>
> BTW is there a FAQ or WiKi where I can document this for other users?
> I think this could be helpful because neither Apache nor OpenSSL
> s_client report/log any problems with such servers/configurations.
Try <http://trac.gnutls.org/>. Feel free to add a wiki page about this,
maybe we can organize a FAQ there as well eventually. If you want, you
could also file a wishlist ticket about this.
Unless we get more report about this problem, I don't think we should
modify GnuTLS here. It seems we follow the protocol.
/Simon
More information about the Gnutls-help
mailing list