I brought this up in the TLS WG: http://thread.gmane.org/gmane.ietf.tls/3782
Thanks, /Simon Simon Josefsson <[EMAIL PROTECTED]> writes: > The specification is clear that the chain must be in proper order. I'll > bring this up in the TLS WG to see if there is any consensus to make the > specification more in line with what some implementations do. I can see > several reasons for NOT doing this (e.g., covert channels, > DoS-considerations, and unneeded complexity). We should have a strong > reason before we violate explicit recommendations in the protocol > specification. > > /Simon > > Peter Volkov <[EMAIL PROTECTED]> writes: > >> Is it possible to do something similar in gnutls? It looks like there >> are reasons to validate certificate with wrong order... >> >> -------- Forwarded message -------- >> From: Tim Hudson <tjh AT cryptsoft com> >> Reply-TO: [EMAIL PROTECTED] >> TO: [EMAIL PROTECTED] >> >> Peter Volkov wrote: >>> CC'ing openssl developers for their opinions, since I think this >>> behavior better to have consistent or configurable. Description of the >>> problem is here: >> >> Placing this in context - connect with internet explorer or firefox to >> https://metasploit.com/ and you will see that both of those independent >> implementations see nothing wrong with the certificate chain and handle the >> redirect to http://metasploit.com/ without and errors or warnings. >> >> Implementations typically take the list of certificates as untrusted >> certificates to add into the process of walking the certificate chain to a >> trusted root certificate. There are pragmatic reasons for doing it this way. >> >> From an interoperability point of view remember the adage - "Be strict in >> what >> you generate, be liberal in what you accept" >> >> Tim. >> ______________________________________________________________________ >> >> >> -- >> Peter. _______________________________________________ Help-gnutls mailing list [email protected] http://lists.gnu.org/mailman/listinfo/help-gnutls
