Verifying server certificate failed?!

Richard Moore rich at kde.org
Fri Mar 16 13:26:56 CET 2012


On 15 March 2012 18:05, Nikos Mavrogiannopoulos <nmav at gnutls.org> wrote:
> On 03/15/2012 04:19 PM, Sven Geggus wrote:
>
>> So I definitely think gnutls should be more tolerant about
>
>> certificates which are not in use but provided anyway.
>
>
> I don't think this is a good idea. The protocol exactly specifies which
> certificates should be present. It does not allow any kind of additional
> information to be present so by providing it you violate the protocol.
>
> On the practical side, a simpler parser allows for simpler code and
> thus less bugs.

I can see your point, but for compatibility reasons all browsers
generally cache intermediate certificates and will automatically use
them should a site fail to provide them, and in addition they will
skip any extra certificates a site may send. If gnutls doesn't either
do this automatically, or at least provide a means for applications to
do so then it is going to lead to a bunch of frustrated and confused
users.

Having spent quite a lot of time explaining how to address missing
intermediate certificates even to the administrators of banking web
sites, I think it will be a lot easier all round to accept a little
more complexity in this part of the code.

Cheers

Rich.




More information about the Gnutls-help mailing list