On 01/20/2011 05:58 PM, Václav Ovsík wrote: > On Thu, Jan 20, 2011 at 05:22:12PM +0100, Nikos Mavrogiannopoulos wrote: >> Hello, >> Indeed I'm mistaken. >> >>> The reported problem is about order of certificates with the same >>> subject DN in the repository during verifying certificate. I have server >>> certificates issued by older and newer CA certificate both valid of >>> course. GnuTLS must find the right certificate of CA from two or even >>> more with the same subject DN. >>> I tried to examine in the bug-report, that based on the order of two CA >>> certificates with the same subject DN IN THE REPOSITORY the GnuTLS fails >>> on newer or older server certificate. There was no change on server >>> sides or so. I changed CA cert order only on the client side repository. >> >> Yes gnutls does stop on first match no matter if expired of not... Is >> there merit in supporting lists that contain duplicates of certificates? > Changing subject DN on certificate renewals is maybe good practice, but > AFAIK not required. Administrators of our company CA (Microsoft CA) > simply did not change it. Their choice, OK.
No don't take my point as being that changing the DN is recommended. I am not suggesting that. What I suggest is that the old certificate can be removed from the list once the renewed one is added. > OpenSSL handles this smoothly and I think it is bug otherwise. > When OpenSSL's c_rehash is called on directory of X.509 certificates, it > numbers hashes with aabbccdd.n, where n is for resolution of the same > Subjects. So when I look into my repository: I note it as an issue to the gnutls verification functionality, and I'll fix it together with some other issues, by adding a more advanced verification subsystem. regards, Nikos -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected]
