[gnutls-devel] Unable to trust server certificate instead of issueing CA

Nikos Mavrogiannopoulos nmav at gnutls.org
Fri Dec 5 10:03:27 CET 2014

On Thu, Dec 4, 2014 at 6:40 PM, Daniel Kahn Gillmor
<dkg at fifthhorseman.net> wrote:
> On 12/04/2014 09:27 AM, Nikos Mavrogiannopoulos wrote:
>> . Please feel free to point out any locations in the documentation
>> that could be improved.
> What do you think about propagating a warning out to the calling app if
> any of the certs loaded by gnutls_certificate_set_x509_trust_file() has
> CA:false ?

The trusted certificate loading functions never returned error codes,
they returned the number of CAs that were loaded. Changing them to
return error codes could break some code. What could be done is using
the gnutls_audit_log() to print a warning.

> Do you think there's any additional interface that needs to be added to
> gnutls-cli to load (<peername>,<peercert>) bindings, or should we expect
> people to use --tofu for this purpose?

I find tofu simpler. Giving too many options may complicate things and
I don't think that this would enable an unhandled use-case.


More information about the Gnutls-devel mailing list