tags 573736 wontfix retitle 573736 permit incorrectly sorted server certificate chains thanks
Thorsten Glaser <[email protected]> writes: > Simon Josefsson dixit: > >>It seems alioth.debian.org is configured incorrectly, the chain it is >>sending isn't sorted in the right order: > […] >>So I don't see any GnuTLS bug here. > > Most people configuring servers are clueless. Why can’t GnuTLS sort > the chain (and drop the Root CA Cert) itself, as OpenSSL appears to > do (maybe to reduce support requests such as this one)? Especially, > for example when you have no influence over the server in use… even > if the standard mandates an order (did not check), being liberal in > accepting sometimes helps. Being liberal in what you accept for security protocol implementations is almost always a bad idea in my experience. The chain validation implementation in GnuTLS is far from perfect, and I'd like to have one that would fully conform to RFC 5280. However, sorting the chain sounds like a step in the wrong direction to me. This issue is a rare problem, and working around the problem in GnuTLS doesn't help: the server remains broken for any other implementations. It seems better to me that you notice the problem as quickly as possible, rather than much later when it can be more difficult to understand what the problem is. I'm tagging this bug as wontfix and retitling it, so others can find the discussion easier. (I'm only speaking as upstream GnuTLS maintainer, the debian GnuTLS maintainers could disagree and patch this problem in the debian packages if they think it is a good idea to do so.) /Simon -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected]
