[Help-gnutls] Re: CA cert verification

Daniel Stenberg daniel at haxx.se
Wed Aug 24 09:33:13 CEST 2005

On Wed, 24 Aug 2005, Simon Josefsson wrote:

> jas at latte:~$ gnutls-cli --x509cafile /usr/share/curl/curl-ca-bundle.crt 
> gmail.google.com

The key difference turns out to be:


Which gnutls-cli sets and I didn't. When I use this, I can successfully verify 
this server's certificate!

Perhaps the gnutls_certificate_verify_peers2() description in the docs could 
hint about the possibility that this is needed?

Another little nit that is slightly related:

gnutls-cli uses the gnutls_certificate_verify_peers() function (alias, not the 
*2 version), there are numerous references to this function in the docs but 
there's no description for it... I take it the 
gnutls_certificate_verify_peers2() is the one we should be using, but it would 
probably be suitable if gnutls-cli was switched to use it and if the 
references in the docs were updated as well.

          -=- Daniel Stenberg -=- http://daniel.haxx.se -=-
   ech`echo xiun|tr nu oc|sed 'sx\([sx]\)\([xoi]\)xo un\2\1 is xg'`ol

More information about the Gnutls-help mailing list