[Help-gnutls] Re: gnutls fails to verify server sertificate while openssl works

Peter Volkov pva at gentoo.org
Mon Oct 6 10:20:51 CEST 2008

Is it possible to do something similar in gnutls? It looks like there
are reasons to validate certificate with wrong order...

-------- Forwarded message --------
From: Tim Hudson <tjh AT cryptsoft  com>
Reply-TO: openssl-dev at openssl.org
TO: openssl-dev at openssl.org

Peter Volkov wrote:
> CC'ing openssl developers for their opinions, since I think this
> behavior better to have consistent or configurable. Description of the
> problem is here:

Placing this in context - connect with internet explorer or firefox to 
https://metasploit.com/ and you will see that both of those independent 
implementations see nothing wrong with the certificate chain and handle the 
redirect to http://metasploit.com/ without and errors or warnings.

Implementations typically take the list of certificates as untrusted 
certificates to add into the process of walking the certificate chain to a 
trusted root certificate. There are pragmatic reasons for doing it this way.

 From an interoperability point of view remember the adage - "Be strict in what 
you generate, be liberal in what you accept"



More information about the Gnutls-help mailing list