What makes a certificate invalid?

Shanishchara, Kunal Kunal.Shanishchara at spirent.com
Fri Dec 11 17:54:10 CET 2009

Hi Daniel,

Thank you for the detailed answers (previous email) and pointing to the
link. These are very helpful. 

I must admit though that I am still unable to comprehend the right
behavior for the particular scenario that I have in mind.

I am going to describe it to the best of my ability. Please find the
description below.

Problem Description:

I have generated my own root certificate, lets say xyz.cer. I use this
root certificate to generate certificates for 2 different FQDNs, lets
say abc.com and def.org. 

Now, I am trying to induce an authentication failure by doing the

1. The server sends the certificate generated for def.org and the client
sends a certificate for abc.com. Both these certificates were generated
using same X.509  certificate xyz.cer.
2. The server expects the client to fail the TLS authentication during
server hello, client hello messaging.
3. Based on the authentication failure, client will fallback to def.org
(as per the higher layer specification) and the successive attempt will
go through.


Is the Server correct in expecting an authentication failure in Step 2?

If no, apart from providing invalid certificate with some obvious cause
(expired cert, etc..) is there another way to implement the
functionality on the server?

Thanks in advance. 

Thanks and regards,

-----Original Message-----
From: Daniel Kahn Gillmor [mailto:dkg at fifthhorseman.net] 
Sent: Friday, December 11, 2009 11:23 AM
To: help-gnutls at gnu.org
Cc: Shanishchara, Kunal
Subject: Re: What makes a certificate invalid?

On 12/10/2009 07:49 PM, Daniel Kahn Gillmor wrote:
> I'm sure someone else can come up with possible ways i've missed that 
> a certificate could be invalid ;)

i thought of another way this morning:

10) if the certificate contains an X.509v3 extension that is marked
"critical" that it does not know how to process, it MUST reject the




<DIV><FONT size="1">

E-mail confidentiality.
This e-mail contains confidential and / or privileged information belonging to Spirent Communications plc, its affiliates and / or subsidiaries. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution and / or the taking of any action based upon reliance on the contents of this transmission is strictly forbidden. If you have received this message in error please notify the sender by return e-mail and delete it from your system. If you require assistance, please contact our IT department at helpdesk at spirent.com.

Spirent Communications plc,
Northwood Park, Gatwick Road, Crawley,
West Sussex, RH10 9XN, United Kingdom.
Tel No. +44 (0) 1293 767676
Fax No. +44 (0) 1293 767677

Registered in England Number 470893
Registered at Northwood Park, Gatwick Road, Crawley, West Sussex, RH10 9XN, United Kingdom.

Or if within the US,

Spirent Communications,
26750 Agoura Road, Calabasas, CA, 91302, USA.
Tel No. 1-818-676- 2300 


More information about the Gnutls-help mailing list