[gnutls-help] Server supplied Certificate in Handshake

Nikos Mavrogiannopoulos nmav at gnutls.org
Fri Apr 4 22:26:33 CEST 2014


On Fri, 2014-04-04 at 14:49 -0400, Stephen Nightingale wrote:
> I am running GnuTLS 3.1.16 as both client and server, with a python-gnutls
> wrapper extended to check for DANE certificate uses, here:
> https://www.had-pilot.com/dane/danelaw.html.
> 
> The GnuTLS server is running all 0xx and 1xx DANE certificate uses, serving
> a single end certificate per use. It runs 24/7 robustly.  It can only
> be configured to take a single end certificate for the server handshake.
> When presented with a concatenation of PEM certs, it will send only the
> end cert in the server side handshake. This is curious, because the GnuTLS
> client will retrieve the full cert chain in communication with, e.g.,
> the TLSlite server.
> 
> I tried this with gnutls-cli and gnutls-serve, configuring the server with
> a concatenated PEM chain, with the same result: only the end cert is
> delivered to the client.
> 
> Has this issue been fixed in subsequent versions of GnuTLS?  Are there plans
> to fix it?

If that's the case then it's a bug, but by trying 3.1.22 by setting a
correct chain in gnutls-serv, I see in gnutls-cli "- Got a certificate
list of 3 certificates."

regards,
Nikos





More information about the Gnutls-help mailing list