[Help-gnutls] Re: gnutls fails to verify server sertificate while openssl works

Simon Josefsson simon at josefsson.org
Mon Oct 6 10:40:43 CEST 2008

The specification is clear that the chain must be in proper order.  I'll
bring this up in the TLS WG to see if there is any consensus to make the
specification more in line with what some implementations do.  I can see
several reasons for NOT doing this (e.g., covert channels,
DoS-considerations, and unneeded complexity).  We should have a strong
reason before we violate explicit recommendations in the protocol


Peter Volkov <pva at gentoo.org> writes:

> Is it possible to do something similar in gnutls? It looks like there
> are reasons to validate certificate with wrong order...
> -------- Forwarded message --------
> From: Tim Hudson <tjh AT cryptsoft  com>
> Reply-TO: openssl-dev at openssl.org
> TO: openssl-dev at openssl.org
> Peter Volkov wrote:
>> CC'ing openssl developers for their opinions, since I think this
>> behavior better to have consistent or configurable. Description of the
>> problem is here:
> Placing this in context - connect with internet explorer or firefox to 
> https://metasploit.com/ and you will see that both of those independent 
> implementations see nothing wrong with the certificate chain and handle the 
> redirect to http://metasploit.com/ without and errors or warnings.
> Implementations typically take the list of certificates as untrusted 
> certificates to add into the process of walking the certificate chain to a 
> trusted root certificate. There are pragmatic reasons for doing it this way.
>  From an interoperability point of view remember the adage - "Be strict in what 
> you generate, be liberal in what you accept"
> Tim.
> ______________________________________________________________________
> -- 
> Peter.

More information about the Gnutls-help mailing list