Hi Daniel, Thank you for the detailed answers (previous email) and pointing to the link. These are very helpful.
I must admit though that I am still unable to comprehend the right behavior for the particular scenario that I have in mind. I am going to describe it to the best of my ability. Please find the description below. Problem Description: I have generated my own root certificate, lets say xyz.cer. I use this root certificate to generate certificates for 2 different FQDNs, lets say abc.com and def.org. Now, I am trying to induce an authentication failure by doing the following. 1. The server sends the certificate generated for def.org and the client sends a certificate for abc.com. Both these certificates were generated using same X.509 certificate xyz.cer. 2. The server expects the client to fail the TLS authentication during server hello, client hello messaging. 3. Based on the authentication failure, client will fallback to def.org (as per the higher layer specification) and the successive attempt will go through. Questions: Is the Server correct in expecting an authentication failure in Step 2? If no, apart from providing invalid certificate with some obvious cause (expired cert, etc..) is there another way to implement the functionality on the server? Thanks in advance. Thanks and regards, Kunal. -----Original Message----- From: Daniel Kahn Gillmor [mailto:[email protected]] Sent: Friday, December 11, 2009 11:23 AM To: [email protected] Cc: Shanishchara, Kunal Subject: Re: What makes a certificate invalid? On 12/10/2009 07:49 PM, Daniel Kahn Gillmor wrote: > I'm sure someone else can come up with possible ways i've missed that > a certificate could be invalid ;) i thought of another way this morning: 10) if the certificate contains an X.509v3 extension that is marked "critical" that it does not know how to process, it MUST reject the certificate: http://tools.ietf.org/html/rfc5280#section-4.2.1.10 hth, --dkg <DIV><FONT size="1"> E-mail confidentiality. -------------------------------- This e-mail contains confidential and / or privileged information belonging to Spirent Communications plc, its affiliates and / or subsidiaries. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution and / or the taking of any action based upon reliance on the contents of this transmission is strictly forbidden. If you have received this message in error please notify the sender by return e-mail and delete it from your system. If you require assistance, please contact our IT department at [email protected]. Spirent Communications plc, Northwood Park, Gatwick Road, Crawley, West Sussex, RH10 9XN, United Kingdom. Tel No. +44 (0) 1293 767676 Fax No. +44 (0) 1293 767677 Registered in England Number 470893 Registered at Northwood Park, Gatwick Road, Crawley, West Sussex, RH10 9XN, United Kingdom. Or if within the US, Spirent Communications, 26750 Agoura Road, Calabasas, CA, 91302, USA. Tel No. 1-818-676- 2300 </FONT></DIV> _______________________________________________ Help-gnutls mailing list [email protected] http://lists.gnu.org/mailman/listinfo/help-gnutls
