[gnutls-help] Server supplied Certificate in Handshake
Nikos Mavrogiannopoulos
nmav at gnutls.org
Fri Apr 4 22:26:33 CEST 2014
On Fri, 2014-04-04 at 14:49 -0400, Stephen Nightingale wrote:
> I am running GnuTLS 3.1.16 as both client and server, with a python-gnutls
> wrapper extended to check for DANE certificate uses, here:
> https://www.had-pilot.com/dane/danelaw.html.
>
> The GnuTLS server is running all 0xx and 1xx DANE certificate uses, serving
> a single end certificate per use. It runs 24/7 robustly. It can only
> be configured to take a single end certificate for the server handshake.
> When presented with a concatenation of PEM certs, it will send only the
> end cert in the server side handshake. This is curious, because the GnuTLS
> client will retrieve the full cert chain in communication with, e.g.,
> the TLSlite server.
>
> I tried this with gnutls-cli and gnutls-serve, configuring the server with
> a concatenated PEM chain, with the same result: only the end cert is
> delivered to the client.
>
> Has this issue been fixed in subsequent versions of GnuTLS? Are there plans
> to fix it?
If that's the case then it's a bug, but by trying 3.1.22 by setting a
correct chain in gnutls-serv, I see in gnutls-cli "- Got a certificate
list of 3 certificates."
regards,
Nikos
More information about the Gnutls-help
mailing list