certificate problem on https://ftp7.de.netbsd.org

To: "NetBSD Users's Discussion List" <netbsd-users%netbsd.org@localhost>
Subject: certificate problem on https://ftp7.de.netbsd.org
From: Michal Suchanek <hramrach%gmail.com@localhost>
Date: Wed, 4 Dec 2013 15:15:42 +0100

Hello,

While trying to download NetBSD sets I encountered invalid certificate
chain issue on  https://ftp7.de.netbsd.org

While the certificate is valid the certificate chain sent is not
sorted correctly

Chain description (from RFC5246):
"This is a sequence (chain) of certificates.  The sender's
certificate MUST come first in the list.  Each following
certificate MUST directly certify the one preceding it."

The actual chain:

 0 s:/C=DE/ST=Sachsen/L=Leipzig/O=Universitaet
Leipzig/OU=Informatik/CN=6bone.informatik.uni-leipzig.de
   i:/C=DE/O=Universitaet Leipzig/OU=URZ/CN=UNIVERSITAET LEIPZIG
CA/emailAddress=pki%uni-leipzig.de@localhost
 1 s:/C=DE/O=Deutsche Telekom AG/OU=T-TeleSec Trust Center/CN=Deutsche
Telekom Root CA 2
   i:/C=DE/O=Deutsche Telekom AG/OU=T-TeleSec Trust Center/CN=Deutsche
Telekom Root CA 2
 2 s:/C=DE/O=DFN-Verein/OU=DFN-PKI/CN=DFN-Verein PCA Global - G01
   i:/C=DE/O=Deutsche Telekom AG/OU=T-TeleSec Trust Center/CN=Deutsche
Telekom Root CA 2
 3 s:/C=DE/O=Universitaet Leipzig/OU=URZ/CN=UNIVERSITAET LEIPZIG
CA/emailAddress=pki%uni-leipzig.de@localhost
   i:/C=DE/O=DFN-Verein/OU=DFN-PKI/CN=DFN-Verein PCA Global - G01

While current versions of OpenSSL and GNUTLS can sort the certificates
some older SSL libraries cannot and fail to connect to such
misconfigured server.

It would be nice if somebody fixed that.

PS. I am not subscribed to the list

Thanks

Michal

Prev by Date: Re: Wpa_gui and multiple access points
Next by Date: And now, which word processor?
Previous by Thread: Installing Google Chrome 32 bit on netbsd-64
Next by Thread: And now, which word processor?
Indexes:

Home | Main Index | Thread Index | Old Index