Bug#607616: libgnutls26: the GnuTLS searches CA certs by subject and stops on first? (fails on more CA with the same subj)

Nikos Mavrogiannopoulos nmav at gnutls.org
Thu Jan 20 16:22:12 UTC 2011

On 01/20/2011 05:01 PM, Václav Ovsík wrote:
> Hi Nikos,
> On Mon, Dec 20, 2010 at 05:03:28PM +0100, Nikos Mavrogiannopoulos wrote:
>> You cannot reorder certificates on will. For TLS/SSL the certificates
>> have to be ordered (from RFC5246):
>> "This is a sequence (chain) of certificates.  The sender's
>> certificate MUST come first in the list.  Each following
>> certificate MUST directly certify the one preceding it."
> I'm not sure correctly understood, but I think your reply is not
> relevant to a problem I reported.
> The above citation is about order of certificates in the chain sent in
> the TLS protocol by server right?

Indeed I'm mistaken.

> The reported problem is about order of certificates with the same
> subject DN in the repository during verifying certificate. I have server
> certificates issued by older and newer CA certificate both valid of
> course. GnuTLS must find the right certificate of CA from two or even
> more with the same subject DN.
> I tried to examine in the bug-report, that based on the order of two CA
> certificates with the same subject DN IN THE REPOSITORY the GnuTLS fails
> on newer or older server certificate. There was no change on server
> sides or so. I changed CA cert order only on the client side repository.

Yes gnutls does stop on first match no matter if expired of not... Is
there merit in supporting lists that contain duplicates of certificates?


More information about the Pkg-gnutls-maint mailing list