[Help-gnutls] CA cert verification

Nikos Mavrogiannopoulos nmav at gnutls.org
Tue Aug 23 20:31:21 CEST 2005

On Monday 22 August 2005 09:56, Daniel Stenberg wrote:

> I have a little problem with my GnuTLS-enabled libcurl and CA cert
> verifying a server. If I build it with OpenSSL instead it succeeds (using
> the same CA cert file I should say).
> Can you perhaps point out an obvious flaw in this flow?
> gnutls_certificate_allocate_credentials()
> gnutls_certificate_set_x509_trust_file() - if a CA file has been provided
You may want to check the return value to see how many certificates were 

> gnutls_init()
> gnutls_set_default_priority()
> gnutls_certificate_type_set_priority()
> gnutls_credentials_set() - sets the cred with the CA file, afaik understood
> gnutls_transport_set_ptr() - sets the file descriptor for the socket
> gnutls_handshake() - handshake, done non-blocking but I doubt that matters
It doesn't.

> gnutls_certificate_get_peers()
> gnutls_certificate_verify_peers2() - this seems to always return error with
> the 'verify_status' integer (that the second argument points to) set to 66
> on exit.
What is the error number returned? The status is garbage if this function
returns an error code.

The sequence looks good. It is just like gnutls-cli, so the problem is 
somewhere in the details.

> $ curl -v https://gmail.google.com/ --cacert
> /usr/share/curl/curl-ca-bundle.crt
What does gnutls-cli gives with the same input?

Nikos Mavrogiannopoulos

More information about the Gnutls-help mailing list