On 08/29/2010 07:38 PM, Mounir IDRASSI wrote:
Thank you for your comments.
As I said, this kind of debates can be very heated and going down this
road don't lead usually to any results.
The debate may be whether and how something should be
done in openssl, I admit I had started that one.
I am the first one to wish that the PKI world out there is ideal and
everyone uses correctly validated modules. Unfortunately, we
constantly have to balance between correctness and practicalness.
Some programs are not strict in verification, so be it.
But that has nothing to do with the fact that the certs in question are
not correctly encoded and may create unexpected behaviour...
Concerning Firefox check, I have managed to load the chain and to
validate it correctly using Firefox 3.6.8 under Windows and Ubuntu
10.04. I'm attaching screenshots.
Try edit the trustsetting.
Or: Try load them without setting any trust during loading
and to set some later through the certificate management.
OpenSSL Project http://www.openssl.org
User Support Mailing List email@example.com
Automated List Manager majord...@openssl.org