Hello, thank you for your response. There's one thing in your reply I don't understand:
Erwann Abalea wrote: >> It seems to be a valid certificate for OpenSSL, right? > > OpenSSL can parse it, yes. > > [...] > > Reading X.520 shows that the DirectoryString type disallows 0-sized > elements. So you're right, this isn't a valid X.509 certificate. > > [...] > > GNUtls is primitive in some aspects, DN parsing is one of them. > Anyway, the fault is shared between GNUtls and the CA. Not with OpenSSL. If it isn't a valid X.509 certificate as you agreed, shouldn't openssl complain when I verify/establish a connection using AUTH TLS which will use this certificate? So for me it is not a question about "tolerance" like you said OpenSSL's ASN1 parser is more tolerant than GnuTLS (it uses libtasn1 BTW): If the certificate is invalid, OpenSSL should tell it and verify shouldn't pass. Not? -- Regards, Igor
