[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Help-gnutls] Re: Peer verification

From: Simon Josefsson
Subject: [Help-gnutls] Re: Peer verification
Date: Tue, 27 Nov 2007 14:38:12 +0100
User-agent: Gnus/5.110007 (No Gnus v0.7) Emacs/22.1 (gnu/linux)

Michael Bell <address@hidden> writes:

> Nikos Mavrogiannopoulos schrieb:
>> In your logs I see that the certificate [1] is the root
>> certificate. This looks wrong. The chain should be [0] = server
>> certificate
>> [1] = intermediate
>> [2] = root
> I read RFC 2246 TLS and it looks like the certificate chain must be in
> the correct order but it looks like Apache and all clients simply
> ignore this part of the specification and create the order by
> themselves. So if GnuTLS has something like a wishlist then I would
> like to add a more tolerant behaviour because OpenSSL (and by this way
> Apache) and all the other clients simply accept this behaviour and so
> the most servers will never take care about such issues.
> BTW is there a FAQ or WiKi where I can document this for other users?
> I think this could be helpful because neither Apache nor OpenSSL
> s_client report/log any problems with such servers/configurations.

Try <>.  Feel free to add a wiki page about this,
maybe we can organize a FAQ there as well eventually.  If you want, you
could also file a wishlist ticket about this.

Unless we get more report about this problem, I don't think we should
modify GnuTLS here.  It seems we follow the protocol.


reply via email to

[Prev in Thread] Current Thread [Next in Thread]