[Help-gnutls] Peer certificates not signed by any CA

Florian Weimer fweimer at bfk.de
Tue Jun 13 14:51:34 CEST 2006 

On Tue, Jun 13, 2006 at 12:10:32PM +0200, Nikos Mavrogiannopoulos wrote:

> >the client tells the server which certificate it is going to send (so
> >that the server can look it up in a database and tell GNUTLS it is
> >trusted).  However, I'd like to avoid this.

> Why do that in an outer protocol?

Because the server is pre-warned and can feed the expected certificate
to GNUTLS.

> From the server side you can access the actual certificate that the
> client had sent, thus you can look it up in a database (say by using
> the sha-1 of the certificate or even something simpler).

Well, according to my experiments, this doesn't work. 8-( Good to know
that it should, though.

> >After that, the peer certificate list is empty, even though the client
> 
> Probably it is empty because the client didn't send any certificate.

Indeed, gnutls_certificate_client_get_request_status returns 0 on the
client side.  But if I comment out the set_x509_key_mem call (see
below), the test case with set_x509_trust_mem on the server side begins
to fail.  Therefore, I assume that a client certificate is actually
sent to the server.

> How do you set up the client side? If you use the default functions
> most probably the certificate will not be sent if the server doesn't send
> in his certificate request message a list of acceptable CAs (at least
> one CA must have signed that certificate).

    my $cred = new Crypt::GNUTLS::CertificateCredentials;
    $cred->set_x509_key_mem($client_cert, $client_key, GNUTLS_X509_FMT_PEM);
    $cred->set_x509_trust_mem($server_cert, GNUTLS_X509_FMT_PEM);
    my $session = new_client Crypt::GNUTLS::Session;
    $session->set_default_priority;
    $session->kx_set_priority(qw/RSA/);
    $cred->set($session);

> In that case if you would like to send the client certificate anyway,
> you should use the callback function (don't remember the name right
> now).

Will try and report.  But it's rather strange that I see a certificate
on the server side even if the client doesn't send one. 8-/ Smells like
a bug.

-- 
Florian Weimer                <fweimer at bfk.de>
BFK edv-consulting GmbH       http://www.bfk.de/
Durlacher Allee 47            tel: +49-721-96201-1
D-76131 Karlsruhe             fax: +49-721-96201-99

More information about the Gnutls-help mailing list