[Haskell-cafe] Taking the TLS package for a spin ... and failing

Vincent Hanquez tab at snarc.org
Wed Dec 15 00:41:48 CET 2010

On Tue, Dec 14, 2010 at 10:24:29PM +0100, Florian Weimer wrote:
> * Mads Lindstrøm:
> > I got it to work :) But there seems to be some bugs in the Haskell
> > server certificate handling. It seems that TLS do not transfer the ST
> > (state, as in California) parameter in the X509 subject field. It also
> > seems that the Haskell server do not send the email-address.
> And in reality, DER encoding isn't reversible, so you better serve the
> exact certificate blob which was passed to the server.  Decoding and
> reencoding does not work reliably because sometimes, a non-DER version
> of the certificate has been signed.

DER encoding IS fully reversible.

However you're right about some certificate, that have been improperly signed
when they were not valid DER.

Hopefully this is a thing of the past, and I do intent to keep re-encoding the
certificate instead of passing a binary blob (as i used to do at first, with
some vestigial code still present). It gives a good workout to the certificate
and asn1 DER modules as well, which isn't all that bad.


More information about the Haskell-Cafe mailing list