On Nov 26, 2007 11:17 AM, Michael Bell <[EMAIL PROTECTED]> wrote: > Nikos Mavrogiannopoulos schrieb: > > On Friday 23 November 2007, Michael Bell wrote: > > >> I try to get a correct validation for a https server. My problem is that > >> certtool says that everthing is find and gnutls-cli fails. > >> > >> Configuration: > >> - server cert + intermediate ca + root ca > >> - server sends only the server cert and the intermediate CA > > > > As I can see in the output you sent me the server is sending 6 certificates > > and they do not form a certificate chain. In TLS a certificate chain is > > formed by having a list where the next certificate certifies the previous. > > Thus the issuer's DN in certificate [0] should be the same as the subject's > > DN in certificate [1] and so on. So I believe it is normal for verification > > to > > fail. > > The server must only send its own cert. Any other information like > intermediate and root CA certs are opional. The server has not to send a > complete chain.
According to which protocol? In TLS the server has to either send his certificate, or his certificate and a complete chain (see section 7.4.2 of RFC2246). > So actually I think it's a bug in GnuTLS - especially because the other > clients are able to verify the server. Nevertheless I initiated a > reconfiguration of the server (luckily we control the server). This doesn't seem to be a gnutls issue. It looks like a server misconfiguration. regards, Nikos _______________________________________________ Help-gnutls mailing list [email protected] http://lists.gnu.org/mailman/listinfo/help-gnutls
