[Help-gnutls] Re: CA cert verification
Daniel Stenberg
daniel at haxx.se
Wed Aug 24 09:33:13 CEST 2005
On Wed, 24 Aug 2005, Simon Josefsson wrote:
> jas at latte:~$ gnutls-cli --x509cafile /usr/share/curl/curl-ca-bundle.crt
> gmail.google.com
The key difference turns out to be:
gnutls_certificate_set_verify_flags(cred,
GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT);
Which gnutls-cli sets and I didn't. When I use this, I can successfully verify
this server's certificate!
Perhaps the gnutls_certificate_verify_peers2() description in the docs could
hint about the possibility that this is needed?
Another little nit that is slightly related:
gnutls-cli uses the gnutls_certificate_verify_peers() function (alias, not the
*2 version), there are numerous references to this function in the docs but
there's no description for it... I take it the
gnutls_certificate_verify_peers2() is the one we should be using, but it would
probably be suitable if gnutls-cli was switched to use it and if the
references in the docs were updated as well.
--
-=- Daniel Stenberg -=- http://daniel.haxx.se -=-
ech`echo xiun|tr nu oc|sed 'sx\([sx]\)\([xoi]\)xo un\2\1 is xg'`ol
More information about the Gnutls-help
mailing list