[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Help-gnutls] Re: gnutls fails to verify server sertificate while openss
From: |
Peter Volkov |
Subject: |
[Help-gnutls] Re: gnutls fails to verify server sertificate while openssl works |
Date: |
Mon, 06 Oct 2008 12:20:51 +0400 |
Is it possible to do something similar in gnutls? It looks like there
are reasons to validate certificate with wrong order...
-------- Forwarded message --------
From: Tim Hudson <tjh AT cryptsoft com>
Reply-TO: address@hidden
TO: address@hidden
Peter Volkov wrote:
> CC'ing openssl developers for their opinions, since I think this
> behavior better to have consistent or configurable. Description of the
> problem is here:
Placing this in context - connect with internet explorer or firefox to
https://metasploit.com/ and you will see that both of those independent
implementations see nothing wrong with the certificate chain and handle the
redirect to http://metasploit.com/ without and errors or warnings.
Implementations typically take the list of certificates as untrusted
certificates to add into the process of walking the certificate chain to a
trusted root certificate. There are pragmatic reasons for doing it this way.
From an interoperability point of view remember the adage - "Be strict in what
you generate, be liberal in what you accept"
Tim.
______________________________________________________________________
--
Peter.