On Thu, March 6, 2014 22:44, Vincent Lefevre wrote: > On 2014-03-06 13:46:13 +0100, Thijs Kinkhorst wrote: >> A simple test with openssl s_client reveals that www.inria.fr has not >> configured the correct certificate chain for the TCS certificates. This >> needs to be taken up with the administrators of that website. > > I confirm for www.inria.fr and www.cnrs.fr (I've reported the problem > to the sysadmins), but for other ones with a correct certificate > chain, it doesn't work with lynx. Adding the TERENA SSL CA certificate > to ca-certificates.crt solves the problem. > > Now, since this problem is specific to lynx, I suppose that this is > more a bug with lynx itself. I've reported another bug:
Adding intermediate certificates to ca-certificates.crt works around a problem in said applications. The root CA's as used by TCS are already in ca-certificates.crt and the chains are published by the web server, so all information is there. Any client that fails validation then is buggy. > https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=740961 So this is indeed the best way forward. Thijs -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org