[Help-gnutls] Peer certificates not signed by any CA

Florian Weimer fweimer at bfk.de
Wed Jul 12 13:21:17 CEST 2006

* Nikos Mavrogiannopoulos:

>> May I assume that the first certificate returned by
>> gnutls_certifcate_get_peers contains public key material which
>> actually corresponds to the private key material which was used to
>> establish the ssession?

> No. That would be the last certificate in the chain. 

Ah, thanks.

>> By the way, gnutls_certificate_client_set_retrieve_function is not a
>> well-designed interface.  The callback function lacks a closure
>> parameter. 

> What do you mean by closure parameter?

Most libraries provide a void * argument which can be used to pass
user data to the callback function.  For an example, see libpcap and

>> Even worse, it is hard to fake it because 
>> gnutls_certificate_client_set_retrieve_function is called with a
>> credentials structure, and the callback is called with a session
>> structure.  Extremely annoying.

> But you want to know the session in the callback (to obtain information 
> about the current session). The session is the caller of the callback. 

I might also need a database handle to fetch data that is used to
verify the client certificate, or to locate the function that should
be called.  Currently, I put the data I need into the transport data
structure and call gnutls_transport_get_ptr in the verification
callback function, but this is rather hackish.

It seems that gnutls_certificate_verify_peers2 sometimes returns 0
even though no matching certificate chain has been provided.  Shall we
discuss details on this mailing list or somewhere else?

Florian Weimer                <fweimer at bfk.de>
BFK edv-consulting GmbH       http://www.bfk.de/
Durlacher Allee 47            tel: +49-721-96201-1
D-76131 Karlsruhe             fax: +49-721-96201-99

More information about the Gnutls-help mailing list