Bug#573736: https SSL verification fails
Simon Josefsson
simon at josefsson.org
Sat Mar 27 15:07:21 UTC 2010
tags 573736 wontfix
retitle 573736 permit incorrectly sorted server certificate chains
thanks
Thorsten Glaser <tg at mirbsd.de> writes:
> Simon Josefsson dixit:
>
>>It seems alioth.debian.org is configured incorrectly, the chain it is
>>sending isn't sorted in the right order:
> […]
>>So I don't see any GnuTLS bug here.
>
> Most people configuring servers are clueless. Why can’t GnuTLS sort
> the chain (and drop the Root CA Cert) itself, as OpenSSL appears to
> do (maybe to reduce support requests such as this one)? Especially,
> for example when you have no influence over the server in use… even
> if the standard mandates an order (did not check), being liberal in
> accepting sometimes helps.
Being liberal in what you accept for security protocol implementations
is almost always a bad idea in my experience.
The chain validation implementation in GnuTLS is far from perfect, and
I'd like to have one that would fully conform to RFC 5280. However,
sorting the chain sounds like a step in the wrong direction to me. This
issue is a rare problem, and working around the problem in GnuTLS
doesn't help: the server remains broken for any other implementations.
It seems better to me that you notice the problem as quickly as
possible, rather than much later when it can be more difficult to
understand what the problem is.
I'm tagging this bug as wontfix and retitling it, so others can find the
discussion easier. (I'm only speaking as upstream GnuTLS maintainer,
the debian GnuTLS maintainers could disagree and patch this problem in
the debian packages if they think it is a good idea to do so.)
/Simon
More information about the Pkg-gnutls-maint
mailing list