Is it possible to do something similar in gnutls? It looks like there are reasons to validate certificate with wrong order...
-------- Forwarded message -------- From: Tim Hudson <tjh AT cryptsoft com> Reply-TO: [EMAIL PROTECTED] TO: [EMAIL PROTECTED] Peter Volkov wrote: > CC'ing openssl developers for their opinions, since I think this > behavior better to have consistent or configurable. Description of the > problem is here: Placing this in context - connect with internet explorer or firefox to https://metasploit.com/ and you will see that both of those independent implementations see nothing wrong with the certificate chain and handle the redirect to http://metasploit.com/ without and errors or warnings. Implementations typically take the list of certificates as untrusted certificates to add into the process of walking the certificate chain to a trusted root certificate. There are pragmatic reasons for doing it this way. From an interoperability point of view remember the adage - "Be strict in what you generate, be liberal in what you accept" Tim. ______________________________________________________________________ -- Peter. _______________________________________________ Help-gnutls mailing list [email protected] http://lists.gnu.org/mailman/listinfo/help-gnutls
