[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Help-gnutls] Peer verification

From: Michael Bell
Subject: Re: [Help-gnutls] Peer verification
Date: Mon, 26 Nov 2007 10:17:13 +0100
User-agent: Thunderbird (X11/20071031)

Nikos Mavrogiannopoulos schrieb:
On Friday 23 November 2007, Michael Bell wrote:

I try to get a correct validation for a https server. My problem is that
certtool says that everthing is find and gnutls-cli fails.

   - server cert + intermediate ca + root ca
   - server sends only the server cert and the intermediate CA

As I can see in the output you sent me the server is sending 6 certificates
and they do not form a certificate chain. In TLS a certificate chain is
formed by having a list where the next certificate certifies the previous.
Thus the issuer's DN in certificate [0] should be the same as the subject's
DN in certificate [1] and so on. So I believe it is normal for verification to fail.

The server must only send its own cert. Any other information like intermediate and root CA certs are opional. The server has not to send a complete chain. Therefore the browsers have no problem with this page because they know the root CA cert and mostly the intermediate CA cert. So actually I think it's a bug in GnuTLS - especially because the other clients are able to verify the server. Nevertheless I initiated a reconfiguration of the server (luckily we control the server).

Best regards


Michael Bell                    Humboldt-Universitaet zu Berlin

Tel.: +49 (0)30-2093 2482       ZE Computer- und Medienservice
Fax:  +49 (0)30-2093 2704       Unter den Linden 6
address@hidden   D-10099 Berlin

X.509 CA Certificates / Wurzelzertifikate

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

reply via email to

[Prev in Thread] Current Thread [Next in Thread]