Hello, While trying to download NetBSD sets I encountered invalid certificate chain issue on https://ftp7.de.netbsd.org
While the certificate is valid the certificate chain sent is not sorted correctly Chain description (from RFC5246): "This is a sequence (chain) of certificates. The sender's certificate MUST come first in the list. Each following certificate MUST directly certify the one preceding it." The actual chain: 0 s:/C=DE/ST=Sachsen/L=Leipzig/O=Universitaet Leipzig/OU=Informatik/CN=6bone.informatik.uni-leipzig.de i:/C=DE/O=Universitaet Leipzig/OU=URZ/CN=UNIVERSITAET LEIPZIG CA/[email protected] 1 s:/C=DE/O=Deutsche Telekom AG/OU=T-TeleSec Trust Center/CN=Deutsche Telekom Root CA 2 i:/C=DE/O=Deutsche Telekom AG/OU=T-TeleSec Trust Center/CN=Deutsche Telekom Root CA 2 2 s:/C=DE/O=DFN-Verein/OU=DFN-PKI/CN=DFN-Verein PCA Global - G01 i:/C=DE/O=Deutsche Telekom AG/OU=T-TeleSec Trust Center/CN=Deutsche Telekom Root CA 2 3 s:/C=DE/O=Universitaet Leipzig/OU=URZ/CN=UNIVERSITAET LEIPZIG CA/[email protected] i:/C=DE/O=DFN-Verein/OU=DFN-PKI/CN=DFN-Verein PCA Global - G01 While current versions of OpenSSL and GNUTLS can sort the certificates some older SSL libraries cannot and fail to connect to such misconfigured server. It would be nice if somebody fixed that. PS. I am not subscribed to the list Thanks Michal
