Loading credentials in verify callback just as needed ?

Nikos Mavrogiannopoulos nmav at gnutls.org
Wed Aug 29 13:30:15 CEST 2012 

On Tue, Aug 28, 2012 at 12:23 PM, Tim Ruehsen <tim.ruehsen at gmx.de> wrote:
> Hi, maybe you can help me or point me to the right direction.
>
> My problem:
> GnuTLS initialization - as used in tools like wget - loads ALL .pem files from
> e.g. /etc/ssl/certs/. This takes 'ages' on slow computers (there are hundreds
> of certificates).
> I can't believe that all these certs are needed to handshake one single HTTPS
> connection.

In the current Internet trust situation most probably you need all of those.

> I am looking for a way to just load the needed certs (very likely with the
> verification callback function).
> The current code is mainly taken from the GnuTLS example client code.
> It's initialization looks like
> gnutls_global_init();
> gnutls_certificate_allocate_credentials(&credentials);
> gnutls_certificate_set_verify_function(credentials,_verify_certificate_callback);
>   * now loading all files in ca_directory by calling
> gnutls_certificate_set_x509_trust_file(credentials, fname,
> GNUTLS_X509_FMT_PEM);

You may also use gnutls_certificate_set_x509_system_trust() for this purpose.

> To reduce startup load, my idea is leaving away
>         gnutls_certificate_set_x509_trust_file()
> while initialization and call it right before
>         gnutls_certificate_verify_peers2()
> while handshaking.

I'm surprised that this function takes long for you. How many
certificates do you have an which version of gnutls is that?

> But how do I know which files to load right here.
> There must be some way to find that out which files/certs are needed.
> As far as I know, OpenSSL is doing something similar using some kind of hashes
> (c_rehash).
> Does anyone can help ?

GnuTLS doesn't have something similar to that, like loading the CA
file on demand.
You could of course simulate that functionality by using the
certificate's authority key identifier, or the issuer's name. What I'd
do if loading time was an issue, is to delegate verification to a
special process that has the CAs loaded already.

regards,
Nikos

More information about the Gnutls-devel mailing list