[Help-gnutls] Peer certificates not signed by any CA
fweimer at bfk.de
Wed Jul 12 13:21:17 CEST 2006
* Nikos Mavrogiannopoulos:
>> May I assume that the first certificate returned by
>> gnutls_certifcate_get_peers contains public key material which
>> actually corresponds to the private key material which was used to
>> establish the ssession?
> No. That would be the last certificate in the chain.
>> By the way, gnutls_certificate_client_set_retrieve_function is not a
>> well-designed interface. The callback function lacks a closure
> What do you mean by closure parameter?
Most libraries provide a void * argument which can be used to pass
user data to the callback function. For an example, see libpcap and
>> Even worse, it is hard to fake it because
>> gnutls_certificate_client_set_retrieve_function is called with a
>> credentials structure, and the callback is called with a session
>> structure. Extremely annoying.
> But you want to know the session in the callback (to obtain information
> about the current session). The session is the caller of the callback.
I might also need a database handle to fetch data that is used to
verify the client certificate, or to locate the function that should
be called. Currently, I put the data I need into the transport data
structure and call gnutls_transport_get_ptr in the verification
callback function, but this is rather hackish.
It seems that gnutls_certificate_verify_peers2 sometimes returns 0
even though no matching certificate chain has been provided. Shall we
discuss details on this mailing list or somewhere else?
Florian Weimer <fweimer at bfk.de>
BFK edv-consulting GmbH http://www.bfk.de/
Durlacher Allee 47 tel: +49-721-96201-1
D-76131 Karlsruhe fax: +49-721-96201-99
More information about the Gnutls-help