[Help-gnutls] Re: CA cert verification
Simon Josefsson
jas at extundo.com
Wed Aug 24 00:11:22 CEST 2005
Daniel Stenberg <daniel at haxx.se> writes:
>>> $ curl -v https://gmail.google.com/ --cacert
>>> /usr/share/curl/curl-ca-bundle.crt
>> What does gnutls-cli gives with the same input?
>
> (Still using 1.2.0)
>
> $ gnutls-cli --x509certfile /usr/share/curl/curl-ca-bundle.crt gmail.google.com
> ...
> - Peer's certificate issuer is unknown
> - Peer's certificate is NOT trusted
> ...
>
> So it seems it agrees with what my code ends up thinking... ? Or am I not
> doing the right gnutls-cli command line?
>
> Any chance this is a problem that has been fixed since this version I use?
Using gnutls-cli from GnuTLS 1.2.6 appears to be able to connect and
verify the peer fine here (see below).
Cheers,
Simon
jas at latte:~$ gnutls-cli --x509cafile /usr/share/curl/curl-ca-bundle.crt gmail.google.com
Processed 59 CA certificate(s).
Resolving 'gmail.google.com'...
Connecting to '64.233.183.107:443'...
- Certificate type: X.509
- Got a certificate list of 2 certificates.
- Certificate[0] info:
# The hostname in the certificate matches 'gmail.google.com'.
# valid since: Wed Jun 8 00:12:57 CEST 2005
# expires at: Thu Jun 8 00:12:57 CEST 2006
# fingerprint: 1E:56:99:FD:16:73:C1:95:8F:9F:AD:43:29:F1:93:5A
# Subject's DN: C=US,ST=California,L=Mountain View,O=Google Inc,CN=gmail.google.com
# Issuer's DN: C=ZA,O=Thawte Consulting (Pty) Ltd.,CN=Thawte SGC CA
- Certificate[1] info:
# valid since: Thu May 13 02:00:00 CEST 2004
# expires at: Tue May 13 01:59:59 CEST 2014
# fingerprint: 84:84:03:56:10:85:53:ED:9A:CA:60:B5:FA:99:D3:31
# Subject's DN: C=ZA,O=Thawte Consulting (Pty) Ltd.,CN=Thawte SGC CA
# Issuer's DN: C=US,O=VeriSign\, Inc.,OU=Class 3 Public Primary Certification Authority
- Peer's certificate is trusted
- Version: TLS 1.0
- Key Exchange: RSA
- Cipher: AES 256 CBC
- MAC: SHA
- Compression: NULL
- Handshake was completed
- Simple Client Mode:
...
More information about the Gnutls-help
mailing list