[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Help-gnutls] Re: gnutls fails to verify server sertificate while openss

From: Simon Josefsson
Subject: [Help-gnutls] Re: gnutls fails to verify server sertificate while openssl works
Date: Mon, 06 Oct 2008 11:39:11 +0200
User-agent: Gnus/5.110011 (No Gnus v0.11) Emacs/22.2 (gnu/linux)

I brought this up in the TLS WG:


Simon Josefsson <address@hidden> writes:

> The specification is clear that the chain must be in proper order.  I'll
> bring this up in the TLS WG to see if there is any consensus to make the
> specification more in line with what some implementations do.  I can see
> several reasons for NOT doing this (e.g., covert channels,
> DoS-considerations, and unneeded complexity).  We should have a strong
> reason before we violate explicit recommendations in the protocol
> specification.
> /Simon
> Peter Volkov <address@hidden> writes:
>> Is it possible to do something similar in gnutls? It looks like there
>> are reasons to validate certificate with wrong order...
>> -------- Forwarded message --------
>> From: Tim Hudson <tjh AT cryptsoft  com>
>> Reply-TO: address@hidden
>> TO: address@hidden
>> Peter Volkov wrote:
>>> CC'ing openssl developers for their opinions, since I think this
>>> behavior better to have consistent or configurable. Description of the
>>> problem is here:
>> Placing this in context - connect with internet explorer or firefox to 
>> and you will see that both of those independent 
>> implementations see nothing wrong with the certificate chain and handle the 
>> redirect to without and errors or warnings.
>> Implementations typically take the list of certificates as untrusted 
>> certificates to add into the process of walking the certificate chain to a 
>> trusted root certificate. There are pragmatic reasons for doing it this way.
>>  From an interoperability point of view remember the adage - "Be strict in 
>> what 
>> you generate, be liberal in what you accept"
>> Tim.
>> ______________________________________________________________________
>> -- 
>> Peter.

reply via email to

[Prev in Thread] Current Thread [Next in Thread]