On Fri, 2015-07-10 at 23:22 +0000, brian m. carlson wrote: > On Fri, Jul 10, 2015 at 11:31:44PM +0100, David Woodhouse wrote: > > On Fri, 2015-07-10 at 22:01 +0000, brian m. carlson wrote: > > > Note that the certificate is in fact valid and verifies > > > correctly, as > > > Firefox accepts it. > > > > What CA is used to verify it? > > Go Daddy Secure Certificate Authority - G2 > > The certificate is in the system store: > > Go_Daddy_Root_Certificate_Authority_-_G2.crt
That's not the same one. The "Root" CA is the *issuer* of the "Secure" CA which signed your server's certificate. Your server should be including the intermediate "Secure" CA in the exchange on the wire, and then we'd be able to make the chain all the way to the 'Root' CA which is actually trusted. I found the same thing as you when I tested — it worked in firefox but not with anything else. That was because the 'Secure' CA was already present in my Firefox certificate database, so we *could* complete the missing part of the chain. > > A simple 'fix' might be just to change the translation to use the > > canonical form U+00ED for the í instead of U+0069 + U+0301. > > > > Is there a reason *not* to do that? > > That's probably the easiest solution, and I suspect the one most > likely to work. http://git.infradead.org/users/dwmw2/openconnect.git/commitdiff/59e5f95 Thanks for identifying the problem, btw. That was extremely non -obvious. -- dwmw2
smime.p7s
Description: S/MIME cryptographic signature
