From marlam at web.de Thu Apr 22 23:18:10 2004 From: marlam at web.de (Martin Lambers) Date: Thu, 22 Apr 2004 23:18:10 +0200 Subject: [Help-gnutls] Verifying peer's certificate: how to handle certificate chains? Message-ID: <20040422211810.GB32699@cthulhu.lambers.home> Hello! I'm currently using the example code from the documentation section "Verifying peer's certificate" to verify certificates. A comment there says that "Real world programs should be able to handle certificate chains as well". How? Must *every* certificate in the chain pass all tests (import, expiration time, activation time, and hostname), or is it sufficient that there is *one* certificate that passes all tests? I assume *every* certificate must pass the import, expiration time, and activation time tests, but only *one* (the first in the chain??) must pass the hostname check. Is this correct? Martin From nmav at gnutls.org Fri Apr 23 08:39:26 2004 From: nmav at gnutls.org (Nikos Mavroyanopoulos) Date: Fri, 23 Apr 2004 09:39:26 +0300 Subject: [Help-gnutls] Verifying peer's certificate: how to handle certificate chains? In-Reply-To: <20040422211810.GB32699@cthulhu.lambers.home> References: <20040422211810.GB32699@cthulhu.lambers.home> Message-ID: <200404230939.27140.nmav@gnutls.org> On Friday 23 April 2004 00:18, Martin Lambers wrote: > Hello! > I'm currently using the example code from the documentation section > "Verifying peer's certificate" to verify certificates. A comment > there says that "Real world programs should be able to handle > certificate chains as well". > I assume *every* certificate must pass the import, expiration time, > and activation time tests, but only *one* (the first in the chain??) > must pass the hostname check. Is this correct? Yes this is correct. The first certificate in the chain belongs to the host. The other certificates belong to intermediate CAs that certified that host. > Martin -- Nikos Mavroyanopoulos From fippo at goodadvice.pages.de Thu Apr 29 20:25:55 2004 From: fippo at goodadvice.pages.de (Philipp Hancke) Date: Thu, 29 Apr 2004 20:25:55 +0200 Subject: [Help-gnutls] Self-signed certificates vs Opera Message-ID: <409148B3.8090702@goodadvice.pages.de> Hi, I just ran into some strange behaviour of Opera in conjuction with gnutls. It does not like accessing pages with self-signed certificates. Hopefully the following is reproducible 1) try an gnutls https server, e.g. https://www.gnutls.org:5555/ with an self-signed certificate 2) accept the certificate for the session [i can not see what this server produces then, mine gives an GNUTLS_E_ERROR_IN_FINISHED_PACKET An error was encountered at the TLS Finished packet calculation. ] 3) hit stop, then reload and everything works. Also this does not occur when the self-signed certificate is installed/trusted. Tested with some old versions of opera5 + 6 and version 7.23 Can anyone reproduce this? Even better, is anyone able to fix it? :) Philipp From nmav at gnutls.org Thu Apr 29 23:10:45 2004 From: nmav at gnutls.org (Nikos Mavroyanopoulos) Date: Fri, 30 Apr 2004 00:10:45 +0300 Subject: [Help-gnutls] Self-signed certificates vs Opera In-Reply-To: <409148B3.8090702@goodadvice.pages.de> References: <409148B3.8090702@goodadvice.pages.de> Message-ID: <200404300010.46360.nmav@gnutls.org> On Thursday 29 April 2004 21:25, Philipp Hancke wrote: > Hi, > I just ran into some strange behaviour of Opera in conjuction with > gnutls. It does not like accessing pages with self-signed certificates. > Hopefully the following is reproducible > 1) try an gnutls https server, e.g. https://www.gnutls.org:5555/ > with an self-signed certificate The gnutls.org server does not have a self-signed certificate. It is signed by a CA that probably opera does not trust. > 2) accept the certificate for the session > [i can not see what this server produces then, mine gives an > GNUTLS_E_ERROR_IN_FINISHED_PACKET > An error was encountered at the TLS Finished packet calculation. ] > 3) hit stop, then reload and everything works. > Also this does not occur when the self-signed certificate is > installed/trusted. This sounds like a problem of opera. > Can anyone reproduce this? Even better, is anyone able to fix it? :) I'm not sure it's a gnutls problem, but anyway with that information there is not much I can do. Try running "gnutls-http-serv -d 3" in the src/ directory, connect with opera on it and send me the output. > Philipp -- Nikos Mavroyanopoulos