On Mon, 2014-09-08 at 09:00 -0500, Michael Catanzaro wrote:
> I guess this is verification based on the rfc5280 path
validation.
> Unlike that NSS ignores the provided trust chain and tries to construct
> a new one internally. That's interesting and happens to work around the
> issue here but it is not and must not be required for all software to
> reconstruct trust chains. The TLS is very specific on that issue, the
> chain is provided by the server.
From my perspective as an application developer who wants the Internet
to "just work," and where proper functionality is defined as "whatever
Firefox and Chrome do"... any deviation from NSS's behavior is
problematic. :/ I know this is unfortunate but that's the reality of the
Internet.
I understand but this is not the case here. The internet isn't broken
because of gnutls and openssl have some limitation, but because the
current NSS derived ca-certificates work assume the NSS validation
strategy. This should not be allowed in the Fedora package.
regards,
Nikos