On 04/09/2014 05:47 PM, Olaf Zaplinski wrote: > I found a blog mentioning that GnuTLS has problems with subjectAltName: > > http://jan-krueger.net/development/mod_gnutls-and-startssl-level-1-certificates-the-problem-and-solution
that blog post is from more than three years ago. It may not reflect the version of mod_gnutls you're using today. what version of apache are you running? what version of gnutls are you running? what version of mod_gnutls are you running? Your earlier message to gnutls-help provides this link: https://0.jmt.gr/?4d9b07a686545531#fMZ3M2aQ1fPk87BVQNICFgwo3giEBCtIt55lNvFRg4k= this is a zerobin site, certified by CACert, sending Strict-Transport-Security headers. For people without the CACert root CA in their trust store, even if they make a temporary allowance for the guest cert, the STS header will cause the browser to reject the connection with no user clickthrough allowed. zerobin also needs javascript, so falling back to wget --no-check-certificate doesn't produce anything a human can understand. I don't want this to turn into a discussion about the relative merits of CACert or the CA cartel or javascript or supposedly-ephemeral data, but my point is if you want people on the internet to help figure things out, making it easier for them to see the data they need to see to understand the situation is probably a good idea. if there are redacted configs that you're willing to publish, it is helpful to include them directly in your e-mail response. thanks, --dkg
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Gnutls-help mailing list [email protected] http://lists.gnupg.org/mailman/listinfo/gnutls-help
