The specification is clear that the chain must be in proper order. I'll bring this up in the TLS WG to see if there is any consensus to make the specification more in line with what some implementations do. I can see several reasons for NOT doing this (e.g., covert channels, DoS-considerations, and unneeded complexity). We should have a strong reason before we violate explicit recommendations in the protocol specification.
/Simon Peter Volkov <[EMAIL PROTECTED]> writes: > Is it possible to do something similar in gnutls? It looks like there > are reasons to validate certificate with wrong order... > > -------- Forwarded message -------- > From: Tim Hudson <tjh AT cryptsoft com> > Reply-TO: [EMAIL PROTECTED] > TO: [EMAIL PROTECTED] > > Peter Volkov wrote: >> CC'ing openssl developers for their opinions, since I think this >> behavior better to have consistent or configurable. Description of the >> problem is here: > > Placing this in context - connect with internet explorer or firefox to > https://metasploit.com/ and you will see that both of those independent > implementations see nothing wrong with the certificate chain and handle the > redirect to http://metasploit.com/ without and errors or warnings. > > Implementations typically take the list of certificates as untrusted > certificates to add into the process of walking the certificate chain to a > trusted root certificate. There are pragmatic reasons for doing it this way. > > From an interoperability point of view remember the adage - "Be strict in > what > you generate, be liberal in what you accept" > > Tim. > ______________________________________________________________________ > > > -- > Peter. _______________________________________________ Help-gnutls mailing list [email protected] http://lists.gnu.org/mailman/listinfo/help-gnutls
