On Mon, 2014-09-08 at 09:00 -0500, Michael Catanzaro wrote: > > I guess this is verification based on the rfc5280 path validation. > > Unlike that NSS ignores the provided trust chain and tries to construct > > a new one internally. That's interesting and happens to work around the > > issue here but it is not and must not be required for all software to > > reconstruct trust chains. The TLS is very specific on that issue, the > > chain is provided by the server. > > From my perspective as an application developer who wants the Internet > to "just work," and where proper functionality is defined as "whatever > Firefox and Chrome do"... any deviation from NSS's behavior is > problematic. :/ I know this is unfortunate but that's the reality of the > Internet.
I understand but this is not the case here. The internet isn't broken because of gnutls and openssl have some limitation, but because the current NSS derived ca-certificates work assume the NSS validation strategy. This should not be allowed in the Fedora package. regards, Nikos -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
