[Help-gnutls] Peer certificates not signed by any CA
Florian Weimer
fweimer at bfk.de
Tue Jun 13 10:31:29 CEST 2006
As far as I can tell, GNUTLS discards a peer certificate unless it is
signed by a trusted CA. For SSH-style "leap of faith" authentication,
this is counterproductive. I could add an outer protocol layer in which
the client tells the server which certificate it is going to send (so
that the server can look it up in a database and tell GNUTLS it is
trusted). However, I'd like to avoid this.
Here's how I set up the session on the server side:
my $cred = new Crypt::GNUTLS::CertificateCredentials;
$cred->set_x509_key_mem($server_cert, $server_key, GNUTLS_X509_FMT_PEM);
my $session = new_server Crypt::GNUTLS::Session;
$session->set_default_priority;
$session->kx_set_priority(qw/RSA/);
$session->certificate_server_set_request(GNUTLS_CERT_REQUEST);
$cred->set($session);
After that, the peer certificate list is empty, even though the client
claims to have sent a certificate. If I mark the client certificate as
trusted, using:
$cred->set_x509_trust_mem($client_cert, GNUTLS_X509_FMT_PEM);
the certificate is returned as desired. However, I can't really load
all client certificates into the library because that wouldn't scale.
Any suggestions?
--
Florian Weimer <fweimer at bfk.de>
BFK edv-consulting GmbH http://www.bfk.de/
Durlacher Allee 47 tel: +49-721-96201-1
D-76131 Karlsruhe fax: +49-721-96201-99
More information about the Gnutls-help
mailing list