Comment 8 for bug 1031333

Revision history for this message
Michael Vogt (mvo) wrote :

Fwiw, when inspecting the site with mozilla and chromeium I see the md2 cert in the root of the chain.

And openssl returns:
$ openssl s_client -connect secure-test.streamline-esolutions.com:443 ; openssl s_client -connect secure-test.streamline-esolutions.com
    Verify return code: 19 (self signed certificate in certificate chain)

Which makes me wonder if adding the md2 certs back is not the right option as that is apparently what mozilla and chrome(ium) are doing. Plus openssl fails.

Technically I think (but I have to admit a certain ignorance about the standard) the verification chain is invalid because the server sends that the certificate issuer of the cert in the middle is the md2 cert. It just happens that gnutls implements the verification by trying to find a issuer from the list of trusted certificates and does not rely on the issuer set in the cert itself.