[gnutls-help] Server supplied Certificate in Handshake

Stephen Nightingale night at nist.gov
Fri Apr 4 20:49:05 CEST 2014


I am running GnuTLS 3.1.16 as both client and server, with a python-gnutls
wrapper extended to check for DANE certificate uses, here:
https://www.had-pilot.com/dane/danelaw.html.

The GnuTLS server is running all 0xx and 1xx DANE certificate uses, serving
a single end certificate per use. It runs 24/7 robustly.  It can only
be configured to take a single end certificate for the server handshake.
When presented with a concatenation of PEM certs, it will send only the
end cert in the server side handshake. This is curious, because the GnuTLS
client will retrieve the full cert chain in communication with, e.g.,
the TLSlite server.

I tried this with gnutls-cli and gnutls-serve, configuring the server with
a concatenated PEM chain, with the same result: only the end cert is
delivered to the client.

Has this issue been fixed in subsequent versions of GnuTLS?  Are there plans
to fix it?

Cheers,

Stephen Nightingale, NIST.





More information about the Gnutls-help mailing list