GNOME Bugzilla – Bug 699026
Build certificate chains out of incorrectly ordered certificates
Last modified: 2019-02-22 11:58:44 UTC
In GcrCertificateChain we respect the RFC 5246 which requires that certificates appear in the correct order from the server: First the endpoint, then intermediates, and (optionally the root last). However some servers (like hermes.jabber.org) send certificates in an incorrect order. It seems like many SSL implementations accept intermediate certificates out of order.
Created attachment 242651 [details] [review] Build certificate chains even when intermediates are wrong order In GcrCertificateChain we respect the RFC 5246 which requires that certificates appear in the correct order from the server: First the endpoint, then intermediates, and (optionally the root last). However some servers (like hermes.jabber.org) send certificates in an incorrect order. It seems like many SSL implementations accept intermediate certificates out of order.
http://tools.ietf.org/html/rfc5246#section-7.4.2
Bug report in Fedora: https://bugzilla.redhat.com/show_bug.cgi?id=956701
OpenSSL accepts out of order certificates. Can be verified by doing: $ openssl s_client -connect hermes.jabber.org:5223 Or see: http://repo.or.cz/w/mirror-openssl.git/blob/HEAD:/crypto/x509/x509_vfy.c#l237
Attachment 242651 [details] pushed as 5cadd24 - Build certificate chains even when intermediates are wrong order