[gnutls-devel] [PATCH] Tolerate unsorted certificate chains in GnuTLS 2.12.23

mancha mancha1 at hush.com
Fri Jul 26 23:23:02 CEST 2013


Per RFC 5246: "The sender's certificate MUST come first in the
               list. Each following certificate MUST directly
               certify the one preceding it."

Unfortunately, many TLS servers provide their certificate chains
out of order, violating RFC. GnuTLS 3.0.x+ now tolerates
out-of-order certificate chains by default. Attached patch
backports similar logic to GnuTLS 2.12.x.

I post it for the benefit of others with systems staying on the
2.12.x branch who might find this enhancement valuable. Also,
so other sets of eyes might take a quick look and make sure I
didn't do anything too unruly. Comments welcome.


P.S. A little bit of irony....

$ gnutls-cli lists.gnutls.org
[Boring stuff skipped]
- The hostname in the certificate does NOT match 'lists.gnutls.org'
-------------- next part --------------
A non-text attachment was scrubbed...
Name: gnutls-2.12.23-cert-list-sort.diff
Type: application/octet-stream
Size: 4320 bytes
Desc: not available
URL: </pipermail/attachments/20130726/dd00ac3b/attachment-0001.obj>

More information about the Gnutls-devel mailing list