Michael Bell <[EMAIL PROTECTED]> writes: > Nikos Mavrogiannopoulos schrieb: > >> In your logs I see that the certificate [1] is the root >> certificate. This looks wrong. The chain should be [0] = server >> certificate >> [1] = intermediate >> [2] = root > > I read RFC 2246 TLS and it looks like the certificate chain must be in > the correct order but it looks like Apache and all clients simply > ignore this part of the specification and create the order by > themselves. So if GnuTLS has something like a wishlist then I would > like to add a more tolerant behaviour because OpenSSL (and by this way > Apache) and all the other clients simply accept this behaviour and so > the most servers will never take care about such issues. > > BTW is there a FAQ or WiKi where I can document this for other users? > I think this could be helpful because neither Apache nor OpenSSL > s_client report/log any problems with such servers/configurations.
Try <http://trac.gnutls.org/>. Feel free to add a wiki page about this, maybe we can organize a FAQ there as well eventually. If you want, you could also file a wishlist ticket about this. Unless we get more report about this problem, I don't think we should modify GnuTLS here. It seems we follow the protocol. /Simon _______________________________________________ Help-gnutls mailing list [email protected] http://lists.gnu.org/mailman/listinfo/help-gnutls
