Re: [twsocket] SSL Verify may fail if two certs with samesubjectarein the CA lookup

[Paul]

But how to tell your customers that you do not support all certs of
the MS Root Certificate Program??


That's unexplanable to a user :-(
If possible, you could add the trouble CA's yourself and import all others.
I only had troubles with Verisign.  


Paul

--
To unsubscribe or change your settings for TWSocket mailing list
please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket
Visit our website at http://www.overbyte.be

Re: [twsocket] SSL Verify may fail if two certs with samesubjectarein the CA lookup

[Arno Garrels]

Arno Garrels wrote:
 Paul wrote:
 They've done this before.
 
 Yes, I noticed this as well earlier with a CA path lookup (hashed
 filenames). But it's the same when you use a CA bundle file.
 Internally they lookup issuers by name which may be fast, however is
 unreliable. IMO they should be looking up issuer certs by fingerprint.
 
 I always add my own CA list to avoid these problems.
 
 But how to tell your customers that you do not support all certs of
 the MS Root Certificate Program??
 Firefox works around it like you, they simply do not imclude those
 trouble-certs. 

Correction (just for the record), they do not include them that's true,
however when they are added to the store they are handled correctly. 

--
Arno Garrels
--
To unsubscribe or change your settings for TWSocket mailing list
please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket
Visit our website at http://www.overbyte.be