[Help-gnutls] CA cert verification
Daniel Stenberg
daniel at haxx.se
Tue Aug 23 23:25:27 CEST 2005
On Tue, 23 Aug 2005, Nikos Mavrogiannopoulos wrote:
Thanks for responding!
>> gnutls_certificate_set_x509_trust_file() - if a CA file has been provided
> You may want to check the return value to see how many certificates were
> loaded.
It returns 59.
And incidently:
$ grep -c "BEGIN CERTIFICATE" /usr/share/curl/curl-ca-bundle.crt
59
>> gnutls_certificate_verify_peers2() - this seems to always return error with
>> the 'verify_status' integer (that the second argument points to) set to 66
>> on exit.
> What is the error number returned? The status is garbage if this function
> returns an error code.
It returns zero. It bails out in case it returns a < 0 value.
> The sequence looks good. It is just like gnutls-cli, so the problem is
> somewhere in the details.
>
>> $ curl -v https://gmail.google.com/ --cacert
>> /usr/share/curl/curl-ca-bundle.crt
> What does gnutls-cli gives with the same input?
(Still using 1.2.0)
$ gnutls-cli --x509certfile /usr/share/curl/curl-ca-bundle.crt gmail.google.com
...
- Peer's certificate issuer is unknown
- Peer's certificate is NOT trusted
...
So it seems it agrees with what my code ends up thinking... ? Or am I not
doing the right gnutls-cli command line?
Any chance this is a problem that has been fixed since this version I use?
The same verifying command line, using the openssl tool I believe would be:
$ openssl s_client -connect gmail.google.com:443 -CAfile
/usr/share/curl/curl-ca-bundle.crt
It reports success.
--
-=- Daniel Stenberg -=- http://daniel.haxx.se -=-
ech`echo xiun|tr nu oc|sed 'sx\([sx]\)\([xoi]\)xo un\2\1 is xg'`ol
More information about the Gnutls-help
mailing list