[Help-gnutls] CA cert verification

Daniel Stenberg daniel at haxx.se
Mon Aug 22 09:56:45 CEST 2005

Hi friends

I have a little problem with my GnuTLS-enabled libcurl and CA cert verifying a 
server. If I build it with OpenSSL instead it succeeds (using the same CA cert 
file I should say).

Can you perhaps point out an obvious flaw in this flow?


gnutls_certificate_set_x509_trust_file() - if a CA file has been provided




gnutls_credentials_set() - sets the cred with the CA file, afaik understood

gnutls_transport_set_ptr() - sets the file descriptor for the socket

gnutls_handshake() - handshake, done non-blocking but I doubt that matters


gnutls_certificate_verify_peers2() - this seems to always return error with 
the 'verify_status' integer (that the second argument points to) set to 66 on 

How can I proceed to figure out why this happens?

This is using GnuTLS 1.2.0.

Trying 1.0.16 instead, I get verify_status return 130 instead.

This is easily testable using the curl command line tool:

$ curl -v https://gmail.google.com/ --cacert /usr/share/curl/curl-ca-bundle.crt

(the CA cert path above comes from where Debian's curl install puts the CA
cert bundle)

          -=- Daniel Stenberg -=- http://daniel.haxx.se -=-
   ech`echo xiun|tr nu oc|sed 'sx\([sx]\)\([xoi]\)xo un\2\1 is xg'`ol

More information about the Gnutls-help mailing list