[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Help-gnutls] Peer verification

From: Michael Bell
Subject: Re: [Help-gnutls] Peer verification
Date: Tue, 27 Nov 2007 11:22:09 +0100
User-agent: Thunderbird (X11/20071031)

Nikos Mavrogiannopoulos schrieb:

In your logs I see that the certificate [1] is the root certificate. This looks wrong. The chain should be [0] = server certificate
[1] = intermediate
[2] = root

I read RFC 2246 TLS and it looks like the certificate chain must be in the correct order but it looks like Apache and all clients simply ignore this part of the specification and create the order by themselves. So if GnuTLS has something like a wishlist then I would like to add a more tolerant behaviour because OpenSSL (and by this way Apache) and all the other clients simply accept this behaviour and so the most servers will never take care about such issues.

BTW is there a FAQ or WiKi where I can document this for other users? I think this could be helpful because neither Apache nor OpenSSL s_client report/log any problems with such servers/configurations.

Sorry for the trouble


Michael Bell                    Humboldt-Universitaet zu Berlin

Tel.: +49 (0)30-2093 2482       ZE Computer- und Medienservice
Fax:  +49 (0)30-2093 2704       Unter den Linden 6
address@hidden   D-10099 Berlin

X.509 CA Certificates / Wurzelzertifikate

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

reply via email to

[Prev in Thread] Current Thread [Next in Thread]