Verifying server certificate failed?!
|
View:
New views
8 Messages
—
Rating Filter:
Alert me
|
 |
Verifying server certificate failed?!
by Sven Geggus-5
::
Rate this Message:
Hello,
calling https://iad.iosb.fraunhofer.de/~geg/ using a Webbrowser gives me a valid TLS connection. So does "gnutls-cli iad.iosb.fraunhofer.de -p 443" But calling the following dows not work: gnutls-cli iad.iosb.fraunhofer.de -p 443 --x509cafile /etc/ssl/certs/ca-certificates.crt Processed 142 CA certificate(s). Resolving 'iad.iosb.fraunhofer.de'... Connecting to '153.96.8.17:443'... *** Verifying server certificate failed... *** Fatal error: Error in the certificate. *** Handshake has failed GnuTLS error: Error in the certificate. Is this a Bug in gnutls or a missconfiguration of my Apache Server? Sven -- The source code is not comprehensible (found in bug section of man 8 telnetd on Redhat Linux) /me is giggls@ircnet, http://sven.gegg.us/ on the Web _______________________________________________ Help-gnutls mailing list Help-gnutls@... https://lists.gnu.org/mailman/listinfo/help-gnutls |
|
|
Re: Verifying server certificate failed?!
by Bugzilla from rich@kde.org
::
Rate this Message:
Your chain file includes the root certificate as well as the
intermediate certificate. You should not be transmitting that one (though I think GnuTLS should ignore it and would regard it as a bug if it doesn't). Cheers Rich. On 15 March 2012 11:57, Sven Geggus <lists@...> wrote: > Hello, > > calling https://iad.iosb.fraunhofer.de/~geg/ using a Webbrowser gives me a > valid TLS connection. > > So does "gnutls-cli iad.iosb.fraunhofer.de -p 443" > > But calling the following dows not work: > gnutls-cli iad.iosb.fraunhofer.de -p 443 --x509cafile /etc/ssl/certs/ca-certificates.crt > Processed 142 CA certificate(s). > Resolving 'iad.iosb.fraunhofer.de'... > Connecting to '153.96.8.17:443'... > *** Verifying server certificate failed... > *** Fatal error: Error in the certificate. > *** Handshake has failed > GnuTLS error: Error in the certificate. > > Is this a Bug in gnutls or a missconfiguration of my Apache Server? > > Sven > > -- > The source code is not comprehensible > (found in bug section of man 8 telnetd on Redhat Linux) > > /me is giggls@ircnet, http://sven.gegg.us/ on the Web > > _______________________________________________ > Help-gnutls mailing list > Help-gnutls@... > https://lists.gnu.org/mailman/listinfo/help-gnutls _______________________________________________ Help-gnutls mailing list Help-gnutls@... https://lists.gnu.org/mailman/listinfo/help-gnutls |
|
|
Re: Verifying server certificate failed?!
by Sven Geggus-5
::
Rate this Message:
Richard Moore <rich@...> wrote:
> Your chain file includes the root certificate as well as the > intermediate certificate. You should not be transmitting that one There has been one unrelated certificate (the one for the User CA) in the chain which caused the problem. Sending the root cert is probably tolerated. I did not check this. What I have now is the following: SSLCertificateChainFile /path/to/file/with/all/intermediate/certs SSLCACertificateFile /path/to/file/with/all/certs/including/root Anything else causes trouble. My first try has been to put all certificates into one file and point SSLCertificateChainFile and SSLCACertificateFile to this file. So I definitely think gnutls should be more tolerant about certificates which are not in use but provided anyway. Regards Sven -- "In my opinion MS is a lot better at making money than it is at making good operating systems" (Linus Torvalds, August 1997) /me is giggls@ircnet, http://sven.gegg.us/ on the Web _______________________________________________ Help-gnutls mailing list Help-gnutls@... https://lists.gnu.org/mailman/listinfo/help-gnutls |
|
|
Re: Verifying server certificate failed?!
by Nikos Mavrogiannopoulos
::
Rate this Message:
On 03/15/2012 04:19 PM, Sven Geggus wrote:
> So I definitely think gnutls should be more tolerant about > certificates which are not in use but provided anyway. I don't think this is a good idea. The protocol exactly specifies which certificates should be present. It does not allow any kind of additional information to be present so by providing it you violate the protocol. On the practical side, a simpler parser allows for simpler code and thus less bugs. regards, Nikos _______________________________________________ Help-gnutls mailing list Help-gnutls@... https://lists.gnu.org/mailman/listinfo/help-gnutls |
|
|
Re: Verifying server certificate failed?!
by Sven Geggus-5
::
Rate this Message:
Nikos Mavrogiannopoulos <nmav@...> wrote:
> I don't think this is a good idea. The protocol exactly specifies which > certificates should be present. It does not allow any kind of additional > information to be present so by providing it you violate the protocol. RFC documents are not set in stone. Quite the opposite, their sole purpose is to enable interoperability. So if breaking the rules is good for interoperability the RFC should be changed in the first place. Back to the original discussion. FF, chrome and even IE do not care about the unnecessary certificates at all. > On the practical side, a simpler parser allows for simpler code and > thus less bugs. *granted* Sven -- "Der wichtigste Aspekt, den Sie vor der Entscheidung für ein Open Source-Betriebssystem bedenken sollten, ist, dass Sie kein Windows-Betriebssystem erhalten." (von http://www.dell.de/ubuntu) /me is giggls@ircnet, http://sven.gegg.us/ on the Web _______________________________________________ Help-gnutls mailing list Help-gnutls@... https://lists.gnu.org/mailman/listinfo/help-gnutls |
|
|
Re: Verifying server certificate failed?!
by Ted Zlatanov
::
Rate this Message:
On Thu, 15 Mar 2012 19:05:40 +0100 Nikos Mavrogiannopoulos <nmav@...> wrote:
NM> On 03/15/2012 04:19 PM, Sven Geggus wrote: >> So I definitely think gnutls should be more tolerant about >> certificates which are not in use but provided anyway. NM> I don't think this is a good idea. The protocol exactly specifies which NM> certificates should be present. It does not allow any kind of additional NM> information to be present so by providing it you violate the protocol. NM> On the practical side, a simpler parser allows for simpler code and NM> thus less bugs. Could the error message be improved, if that doesn't complicate the code too much? Ted _______________________________________________ Help-gnutls mailing list Help-gnutls@... https://lists.gnu.org/mailman/listinfo/help-gnutls |
|
|
Re: Verifying server certificate failed?!
by Bugzilla from rich@kde.org
::
Rate this Message:
On 15 March 2012 18:05, Nikos Mavrogiannopoulos <nmav@...> wrote:
> On 03/15/2012 04:19 PM, Sven Geggus wrote: > >> So I definitely think gnutls should be more tolerant about > >> certificates which are not in use but provided anyway. > > > I don't think this is a good idea. The protocol exactly specifies which > certificates should be present. It does not allow any kind of additional > information to be present so by providing it you violate the protocol. > > On the practical side, a simpler parser allows for simpler code and > thus less bugs. I can see your point, but for compatibility reasons all browsers generally cache intermediate certificates and will automatically use them should a site fail to provide them, and in addition they will skip any extra certificates a site may send. If gnutls doesn't either do this automatically, or at least provide a means for applications to do so then it is going to lead to a bunch of frustrated and confused users. Having spent quite a lot of time explaining how to address missing intermediate certificates even to the administrators of banking web sites, I think it will be a lot easier all round to accept a little more complexity in this part of the code. Cheers Rich. _______________________________________________ Help-gnutls mailing list Help-gnutls@... https://lists.gnu.org/mailman/listinfo/help-gnutls |
|
|
Re: Verifying server certificate failed?!
by Nikos Mavrogiannopoulos
::
Rate this Message:
On 03/16/2012 01:26 PM, Richard Moore wrote:
>> >> On the practical side, a simpler parser allows for simpler code >> and thus less bugs. > I can see your point, but for compatibility reasons all browsers > generally cache intermediate certificates and will automatically use > them should a site fail to provide them, and in addition they will > skip any extra certificates a site may send. If gnutls doesn't > either do this automatically, or at least provide a means for > applications to do so then it is going to lead to a bunch of > frustrated and confused users. gnutls is tolerant and if the correct chain is provided in the front of the list then it will verify the chain and not complain. The problem is if there is no proper chain e.g if certificates are thrown in a random order. > Having spent quite a lot of time explaining how to address missing > intermediate certificates even to the administrators of banking web > sites, I think it will be a lot easier all round to accept a little > more complexity in this part of the code. I understand. It should have been though that their software should have reordered the provided list or should have failed due to an unordered list (gnutls servers don't allow you to provide illegal chains). It is not currently in my todo list, but if there is a simple an clean patch to re-order the certificate list prior to verification I'll accept it. regards, Nikos _______________________________________________ Help-gnutls mailing list Help-gnutls@... https://lists.gnu.org/mailman/listinfo/help-gnutls |
| Free embeddable forum powered by Nabble | Forum Help |
