Re: [TLS] Verifying X.509 Certificate Chains out of order

[pgut001 at cs.auckland.ac.nz (Peter Gutmann)]

Nelson B Bolyard <nelson at bolyard.me> writes:

>I think we've been seeing the behaviors of the same product. As you say, if
>you send a no-certificate response, the server continues in the "normal" (no
>client auth) fashion.  But if you DO provide a client cert, then the server
>drops the connection.

I've had a quick look through the logs and this problem has been around for a
long time, the first reports I can find are from 2002-2003 and cover not just
MTAs but also things like SSL-enabled FTP servers.  It also affects quite a
shopping-list of services running a variety of implementations, including ones
with a user base in the 10-million-plus region.  This is why I switched to the
"don't-bother-the-user" default behaviour, it's easier than convincing (say) a
large multinational to change the behaviour of their servers.

(I'll send a few names in private mail to see if they match what you're
seeing).

Peter.

_______________________________________________
TLS mailing list
TLS at ietf.org
https://www.ietf.org/mailman/listinfo/tls