[Help-gnutls] CA cert verification

Daniel Stenberg daniel at haxx.se
Tue Aug 23 23:25:27 CEST 2005

On Tue, 23 Aug 2005, Nikos Mavrogiannopoulos wrote:

Thanks for responding!

>> gnutls_certificate_set_x509_trust_file() - if a CA file has been provided

> You may want to check the return value to see how many certificates were 
> loaded.

It returns 59.

And incidently:

$ grep -c "BEGIN CERTIFICATE" /usr/share/curl/curl-ca-bundle.crt

>> gnutls_certificate_verify_peers2() - this seems to always return error with
>> the 'verify_status' integer (that the second argument points to) set to 66
>> on exit.

> What is the error number returned? The status is garbage if this function 
> returns an error code.

It returns zero. It bails out in case it returns a < 0 value.

> The sequence looks good. It is just like gnutls-cli, so the problem is 
> somewhere in the details.
>> $ curl -v https://gmail.google.com/ --cacert
>> /usr/share/curl/curl-ca-bundle.crt
> What does gnutls-cli gives with the same input?

(Still using 1.2.0)

$ gnutls-cli --x509certfile /usr/share/curl/curl-ca-bundle.crt gmail.google.com
- Peer's certificate issuer is unknown
- Peer's certificate is NOT trusted

So it seems it agrees with what my code ends up thinking... ? Or am I not 
doing the right gnutls-cli command line?

Any chance this is a problem that has been fixed since this version I use?

The same verifying command line, using the openssl tool I believe would be:

$ openssl s_client -connect gmail.google.com:443 -CAfile 

It reports success.

          -=- Daniel Stenberg -=- http://daniel.haxx.se -=-
   ech`echo xiun|tr nu oc|sed 'sx\([sx]\)\([xoi]\)xo un\2\1 is xg'`ol

More information about the Gnutls-help mailing list