After finding shortcomings in the verifi ... / 2009-11-27

2009-11-27 After finding shortcomings in the verifi ... 9 years ago
After finding shortcomings in the verification by openssl s_client I tried the gnutls command-line client gnutls-cli. The upside of gnutls-cli is that it does use IPv6 when available. But.. gnutls-cli decides not to trust a server when using the same certificate set as used in testing openssl s_client.
~$ gnutls-cli --x509cafile /etc/ssl/certs/ca-certificates.crt -p imaps imaps.cs.uu.nl
..
*** Verifying server certificate failed...
versus
:~$ openssl s_client -verify 10 -CAfile /etc/ssl/certs/ca-certificates.crt -connect imaps.cs.uu.nl:imaps
..
    Verify return code: 0 (ok)
Weird. I would not be completely surprised when my own root CA had issues in very strict utilities but the chain used for the work servers is very well tested.

Update 2012-04-01: Found out later that gnutls-cli had a point: the order of the certificate chain given by the server was incorrect. Which is something all other applications allow.

Tags: , ,

, reachable as koos+website@idefix.net. PGP encrypted e-mail preferred.

PGP key 5BA9 368B E6F3 34E4 local copy PGP key 5BA9 368B E6F3 34E4 via keyservers pgp key statistics for 0x5BA9368BE6F334E4 Koos van den Hout
RSS
Other webprojects: Camp Wireless, wireless Internet access at campsites, The Virtual Bookcase, book reviews
This page generated in 0.004357 seconds.