[Help-gnutls] CA cert verification
Daniel Stenberg
daniel at haxx.se
Mon Aug 22 09:56:45 CEST 2005
Hi friends
I have a little problem with my GnuTLS-enabled libcurl and CA cert verifying a
server. If I build it with OpenSSL instead it succeeds (using the same CA cert
file I should say).
Can you perhaps point out an obvious flaw in this flow?
gnutls_certificate_allocate_credentials()
gnutls_certificate_set_x509_trust_file() - if a CA file has been provided
gnutls_init()
gnutls_set_default_priority()
gnutls_certificate_type_set_priority()
gnutls_credentials_set() - sets the cred with the CA file, afaik understood
it
gnutls_transport_set_ptr() - sets the file descriptor for the socket
gnutls_handshake() - handshake, done non-blocking but I doubt that matters
gnutls_certificate_get_peers()
gnutls_certificate_verify_peers2() - this seems to always return error with
the 'verify_status' integer (that the second argument points to) set to 66 on
exit.
How can I proceed to figure out why this happens?
This is using GnuTLS 1.2.0.
Trying 1.0.16 instead, I get verify_status return 130 instead.
This is easily testable using the curl command line tool:
$ curl -v https://gmail.google.com/ --cacert /usr/share/curl/curl-ca-bundle.crt
(the CA cert path above comes from where Debian's curl install puts the CA
cert bundle)
--
-=- Daniel Stenberg -=- http://daniel.haxx.se -=-
ech`echo xiun|tr nu oc|sed 'sx\([sx]\)\([xoi]\)xo un\2\1 is xg'`ol
More information about the Gnutls-help
mailing list