On Tue, Dec 14, 2010 at 10:24:29PM +0100, Florian Weimer wrote:
* Mads Lindstrøm:
I got it to work :) But there seems to be some bugs in the Haskell server certificate handling. It seems that TLS do not transfer the ST (state, as in California) parameter in the X509 subject field. It also seems that the Haskell server do not send the email-address.
And in reality, DER encoding isn't reversible, so you better serve the exact certificate blob which was passed to the server. Decoding and reencoding does not work reliably because sometimes, a non-DER version of the certificate has been signed.
DER encoding IS fully reversible. However you're right about some certificate, that have been improperly signed when they were not valid DER. Hopefully this is a thing of the past, and I do intent to keep re-encoding the certificate instead of passing a binary blob (as i used to do at first, with some vestigial code still present). It gives a good workout to the certificate and asn1 DER modules as well, which isn't all that bad. -- Vincent