On 15 March 2012 18:05, Nikos Mavrogiannopoulos <[email protected]> wrote: > On 03/15/2012 04:19 PM, Sven Geggus wrote: > >> So I definitely think gnutls should be more tolerant about > >> certificates which are not in use but provided anyway. > > > I don't think this is a good idea. The protocol exactly specifies which > certificates should be present. It does not allow any kind of additional > information to be present so by providing it you violate the protocol. > > On the practical side, a simpler parser allows for simpler code and > thus less bugs.
I can see your point, but for compatibility reasons all browsers generally cache intermediate certificates and will automatically use them should a site fail to provide them, and in addition they will skip any extra certificates a site may send. If gnutls doesn't either do this automatically, or at least provide a means for applications to do so then it is going to lead to a bunch of frustrated and confused users. Having spent quite a lot of time explaining how to address missing intermediate certificates even to the administrators of banking web sites, I think it will be a lot easier all round to accept a little more complexity in this part of the code. Cheers Rich. _______________________________________________ Help-gnutls mailing list [email protected] https://lists.gnu.org/mailman/listinfo/help-gnutls
