[Help-gnutls] Peer verification
Nikos Mavrogiannopoulos
nmav at gnutls.org
Sun Nov 25 10:14:25 CET 2007
On Friday 23 November 2007, Michael Bell wrote:
> Hi,
>
> I try to get a correct validation for a https server. My problem is that
> certtool says that everthing is find and gnutls-cli fails.
>
> Configuration:
> - server cert + intermediate ca + root ca
> - server sends only the server cert and the intermediate CA
As I can see in the output you sent me the server is sending 6 certificates
and they do not form a certificate chain. In TLS a certificate chain is
formed by having a list where the next certificate certifies the previous.
Thus the issuer's DN in certificate [0] should be the same as the subject's
DN in certificate [1] and so on. So I believe it is normal for verification to
fail.
regards,
Nikos
- Certificate[0] info:
# The hostname in the certificate matches 'kalender.cms.hu-berlin.de'.
# valid since: Tue Apr 10 09:56:31 CEST 2007
# expires at: Thu Apr 9 09:56:31 CEST 2009
# fingerprint: 04:6D:38:E9:AE:50:3B:FE:68:F6:A1:B7:6A:BD:35:3A
# Subject's DN: C=DE,O=Humboldt-Universitaet zu Berlin,OU=Computer- und
Medienservice,CN=(kalender|kalender1|kalender2).cms.hu-berlin.de
# Issuer's DN: C=DE,O=Humboldt-Universitaet zu Berlin,OU=HU-CA,CN=HU-CA 4
- Certificate[1] info:
# valid since: Sat Dec 1 13:11:16 CET 2001
# expires at: Sun Jan 31 13:11:16 CET 2010
# fingerprint: 3E:1F:9E:E6:4C:6E:F0:22:08:25:DA:91:23:08:05:03
# Subject's DN: C=DE,O=Deutsches Forschungsnetz,OU=DFN-CERT
GmbH,OU=DFN-PCA,CN=DFN Toplevel Certification
Authority,EMAIL=certify at pca.dfn.de
# Issuer's DN: C=DE,O=Deutsches Forschungsnetz,OU=DFN-CERT
GmbH,OU=DFN-PCA,CN=DFN Toplevel Certification
Authority,EMAIL=certify at pca.dfn.de
- Certificate[2] info:
# valid since: Wed Dec 12 19:20:36 CET 2001
# expires at: Mon Dec 12 19:20:36 CET 2005
# fingerprint: 1E:42:77:7F:98:C7:BD:52:C5:EC:47:0A:36:5C:5E:10
# Subject's DN: C=DE,O=Humboldt-Universitaet zu Berlin,CN=HU-CA [sign
only],EMAIL=hu-ca at rz.hu-berlin.de
# Issuer's DN: C=DE,O=Deutsches Forschungsnetz,OU=DFN-CERT
GmbH,OU=DFN-PCA,CN=DFN Toplevel Certification
Authority,EMAIL=certify at pca.dfn.de
- Certificate[3] info:
# valid since: Mon Oct 18 16:19:09 CEST 2004
# expires at: Sat Oct 18 16:19:09 CEST 2008
# fingerprint: 44:88:A0:5E:93:12:1D:EA:56:E4:00:F6:98:87:58:A4
# Subject's DN: C=DE,O=Humboldt-Universitaet zu Berlin,OU=HU-CA,CN=HU-CA 1
# Issuer's DN: C=DE,O=Deutsches Forschungsnetz,OU=DFN-CERT
GmbH,OU=DFN-PCA,CN=DFN Toplevel Certification
Authority,EMAIL=certify at pca.dfn.de
- Certificate[4] info:
# valid since: Mon Oct 24 13:53:26 CEST 2005
# expires at: Wed Oct 24 13:53:26 CEST 2007
# fingerprint: EA:6E:02:BC:38:91:F2:47:21:9A:0E:9D:F9:E8:3A:BD
# Subject's DN: C=DE,O=Humboldt-Universitaet zu Berlin,OU=HU-CA,CN=HU-DCA 3
# Issuer's DN: C=DE,O=Humboldt-Universitaet zu Berlin,OU=HU-CA,CN=HU-CA 1
- Certificate[5] info:
# valid since: Wed Oct 11 16:19:18 CEST 2006
# expires at: Sun Oct 10 16:19:18 CEST 2010
# fingerprint: 41:0C:13:A7:80:BF:FC:41:A6:68:6E:41:42:E7:CD:35
# Subject's DN: C=DE,O=Humboldt-Universitaet zu Berlin,OU=HU-CA,CN=HU-CA 4
# Issuer's DN: C=DE,O=DFN-Verein,OU=DFN-PKI,CN=DFN-Verein PCA Classic - G01
More information about the Gnutls-help
mailing list