[gnutls-dev] generate_rdn_seq() collects CA's issuers, why?
Max Kellermann
max at duempel.org
Tue Dec 12 18:50:17 CET 2006
Hi,
I'm currently hunting a tricky problem in my gnutls application; the
client refuses to send any certificates to the server. I tracked it
all down to generate_rdn_seq(), which does not add the CA's DNs to the
rdn_seq, but adds the CA's issuer's DNs.
Why that?
The CAs are being trusted, not the CA's issuers. Now my client only
sees the root CA, which did not sign his client certificate (Root CA
-> client CA -> client certificate) - which is why the client will not
send any certificate.
Two experiments resulted in a success (which should not be):
- first, I added another client certificate to the server's trusted
"CAs", now the client would see his own issuer in the list and sent
his own certificate
- second, I modified generate_rdn_seq() to call
_gnutls_x509_crt_get_raw_dn() instead of
_gnutls_x509_crt_get_raw_issuer_dn() - the same: everything works
fine.
If I'm correct and if this is really a bug in gnutls, I believe my
second experiment is a solution for the gnutls bug.
Max
More information about the Gnutls-dev
mailing list