Control: severity 691864 wishlist Control: retitle 691864 please allow mis-ordered certificate chains Control: fixed 691864 3.1.3-1
On 10/30/2012 10:00 AM, Michal Suchanek wrote: > eg. server has certificate S which is signed by intermediate I which is > signed by CA root R. The server supplies chain S R I which is verified > by gnutls 3.1 but not 3.0. Such servers exist in the wild so this is > clearly an interoporebility issue. it is clearly an interoperability issue, but the peers that are causing it are the peers with the mis-ordered certificates, not GnuTLS. GnuTLS 3.0 is following the RFC, which states: https://tools.ietf.org/html/rfc5246#section-7.4.2 The sender's certificate MUST come first in the list. Each following certificate MUST directly certify the one preceding it. > In gnutls 3.1.3 GNUTLS_VERIFY_ALLOW_UNSORTED_CHAIN flag is available and > defaults to on. When this flag is set such chain is verified without > issues. The fact that GnuTLS 3.1 is willing to work around this situation does not indicate that strict RFC-compliance is a bug in GnuTLS 3.0, much less a bug of severity: important. --dkg
signature.asc
Description: OpenPGP digital signature

