Verifying server certificate failed?!

Nikos Mavrogiannopoulos nmav at
Sat Mar 17 13:47:54 CET 2012

On 03/16/2012 01:26 PM, Richard Moore wrote:

>> On the practical side, a simpler parser allows for simpler code
>> and thus less bugs.
> I can see your point, but for compatibility reasons all browsers 
> generally cache intermediate certificates and will automatically use 
> them should a site fail to provide them, and in addition they will 
> skip any extra certificates a site may send. If gnutls doesn't
> either do this automatically, or at least provide a means for
> applications to do so then it is going to lead to a bunch of
> frustrated and confused users.

gnutls is tolerant and if the correct chain is provided
in the front of the list then it will verify the chain and not complain.
The problem is if there is no proper chain e.g if certificates are
thrown in a random order.

> Having spent quite a lot of time explaining how to address missing 
> intermediate certificates even to the administrators of banking web 
> sites, I think it will be a lot easier all round to accept a little 
> more complexity in this part of the code.

I understand. It should have been though that their software should
have reordered the provided list or should have failed due to an
unordered list (gnutls servers don't allow you to provide illegal chains).

It is not currently in my todo list, but if there is a simple an clean
patch to re-order the certificate list prior to verification I'll accept it.


More information about the Gnutls-help mailing list