On Friday 23 November 2007, Michael Bell wrote: > Hi, > > I try to get a correct validation for a https server. My problem is that > certtool says that everthing is find and gnutls-cli fails. > > Configuration: > - server cert + intermediate ca + root ca > - server sends only the server cert and the intermediate CA
As I can see in the output you sent me the server is sending 6 certificates and they do not form a certificate chain. In TLS a certificate chain is formed by having a list where the next certificate certifies the previous. Thus the issuer's DN in certificate [0] should be the same as the subject's DN in certificate [1] and so on. So I believe it is normal for verification to fail. regards, Nikos - Certificate[0] info: # The hostname in the certificate matches 'kalender.cms.hu-berlin.de'. # valid since: Tue Apr 10 09:56:31 CEST 2007 # expires at: Thu Apr 9 09:56:31 CEST 2009 # fingerprint: 04:6D:38:E9:AE:50:3B:FE:68:F6:A1:B7:6A:BD:35:3A # Subject's DN: C=DE,O=Humboldt-Universitaet zu Berlin,OU=Computer- und Medienservice,CN=(kalender|kalender1|kalender2).cms.hu-berlin.de # Issuer's DN: C=DE,O=Humboldt-Universitaet zu Berlin,OU=HU-CA,CN=HU-CA 4 - Certificate[1] info: # valid since: Sat Dec 1 13:11:16 CET 2001 # expires at: Sun Jan 31 13:11:16 CET 2010 # fingerprint: 3E:1F:9E:E6:4C:6E:F0:22:08:25:DA:91:23:08:05:03 # Subject's DN: C=DE,O=Deutsches Forschungsnetz,OU=DFN-CERT GmbH,OU=DFN-PCA,CN=DFN Toplevel Certification Authority,[EMAIL PROTECTED] # Issuer's DN: C=DE,O=Deutsches Forschungsnetz,OU=DFN-CERT GmbH,OU=DFN-PCA,CN=DFN Toplevel Certification Authority,[EMAIL PROTECTED] - Certificate[2] info: # valid since: Wed Dec 12 19:20:36 CET 2001 # expires at: Mon Dec 12 19:20:36 CET 2005 # fingerprint: 1E:42:77:7F:98:C7:BD:52:C5:EC:47:0A:36:5C:5E:10 # Subject's DN: C=DE,O=Humboldt-Universitaet zu Berlin,CN=HU-CA [sign only],[EMAIL PROTECTED] # Issuer's DN: C=DE,O=Deutsches Forschungsnetz,OU=DFN-CERT GmbH,OU=DFN-PCA,CN=DFN Toplevel Certification Authority,[EMAIL PROTECTED] - Certificate[3] info: # valid since: Mon Oct 18 16:19:09 CEST 2004 # expires at: Sat Oct 18 16:19:09 CEST 2008 # fingerprint: 44:88:A0:5E:93:12:1D:EA:56:E4:00:F6:98:87:58:A4 # Subject's DN: C=DE,O=Humboldt-Universitaet zu Berlin,OU=HU-CA,CN=HU-CA 1 # Issuer's DN: C=DE,O=Deutsches Forschungsnetz,OU=DFN-CERT GmbH,OU=DFN-PCA,CN=DFN Toplevel Certification Authority,[EMAIL PROTECTED] - Certificate[4] info: # valid since: Mon Oct 24 13:53:26 CEST 2005 # expires at: Wed Oct 24 13:53:26 CEST 2007 # fingerprint: EA:6E:02:BC:38:91:F2:47:21:9A:0E:9D:F9:E8:3A:BD # Subject's DN: C=DE,O=Humboldt-Universitaet zu Berlin,OU=HU-CA,CN=HU-DCA 3 # Issuer's DN: C=DE,O=Humboldt-Universitaet zu Berlin,OU=HU-CA,CN=HU-CA 1 - Certificate[5] info: # valid since: Wed Oct 11 16:19:18 CEST 2006 # expires at: Sun Oct 10 16:19:18 CEST 2010 # fingerprint: 41:0C:13:A7:80:BF:FC:41:A6:68:6E:41:42:E7:CD:35 # Subject's DN: C=DE,O=Humboldt-Universitaet zu Berlin,OU=HU-CA,CN=HU-CA 4 # Issuer's DN: C=DE,O=DFN-Verein,OU=DFN-PKI,CN=DFN-Verein PCA Classic - G01 _______________________________________________ Help-gnutls mailing list [email protected] http://lists.gnu.org/mailman/listinfo/help-gnutls
