El 05/11/14 a las 05:03, Hans Witvliet escribió:
Hi,
I followed with interest the thread of Per. Last week I observed something else that surprised me.
With openvpn I also use keys&certificates on client and servers. And no matter what you use on the client, it is the the peer at the other end, that decides if it will accepts the connection or not based on: - ca-trust-chain - revocation list - validity (date-range) of the certificate.
With firefox I saw something different behaviour: I tried to go to a ssl-server, with client-cert-authentication enabled. Much to my surprise, the client directly refused, saying that my cert expired two weeks ago. tcpdump on either side proved that no data was sent along the line
A warning should be OK, but a plain refusal by firefox feels like big brother is taking control. Or am I that mistaken?
Yes, you are mistaken.. client knowing certificate is expired and failing right away is the expected behaviour..why the client should even bother trying an operation that MUST fail ? All this are unfortunate side effects of clients being too lenient or plain reckless in the past and users getting accustomed to that. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org