[gnutls-devel] Mandatory to honor DN in server certificate requests?

Martin Storsjö martin at martin.st
Fri Apr 29 20:19:30 CEST 2016


On Thu, 28 Apr 2016, Martin Storsjö wrote:

> On Thu, 28 Apr 2016, Nikos Mavrogiannopoulos wrote:
>
>> On Wed, Apr 27, 2016 at 10:41 AM, Martin Storsjö <martin at martin.st> wrote:
>> 
>> It is not the TLS protocol which will specify that behavior but rather
>> the application protocol. gnutls takes the conservative approach and
>> does not reveal the ID of the client if it doesn't match the expected
>> ID from the server. That way if you mistakenly specified your
>> certificate from site A your ID will not be revealed just because site
>> B asked of a certificate as well.
>
> Ok, that sounds sensible.
>
>>> Is firefox at fault here (sending unrelated CAs as part of this handshake 
>>> -
>>> e.g. chrome doesn't send any such), or does gnutls need an option for
>>> intentionally ignoring the requested CAs and sending whatever certificate 
>>> is
>>> provided, letting the server decide whether it is acceptable?
>> 
>> If the server would accept a certificate not signed by anyone in his
>> accepted list, why not send an empty list instead?
>
> Fair enough - I guess it sounds like I should file a bug with firefox then.

For the record, newer firefox versions (at least 48) seem to have fixed 
this issue as well, so no bug report was filed on my behalf.

// Martin


More information about the Gnutls-devel mailing list