On Mon, 2014-09-08 at 09:00 -0500, Michael Catanzaro wrote:
I guess this is verification based on the rfc5280 path validation. Unlike that NSS ignores the provided trust chain and tries to construct a new one internally. That's interesting and happens to work around the issue here but it is not and must not be required for all software to reconstruct trust chains. The TLS is very specific on that issue, the chain is provided by the server.
From my perspective as an application developer who wants the Internet to "just work," and where proper functionality is defined as "whatever Firefox and Chrome do"... any deviation from NSS's behavior is problematic. :/ I know this is unfortunate but that's the reality of the Internet.
I understand but this is not the case here. The internet isn't broken because of gnutls and openssl have some limitation, but because the current NSS derived ca-certificates work assume the NSS validation strategy. This should not be allowed in the Fedora package.
regards, Nikos