[Help-gnutls] Peer certificates not signed by any CA
fweimer at bfk.de
Tue Jun 13 14:51:34 CEST 2006
On Tue, Jun 13, 2006 at 12:10:32PM +0200, Nikos Mavrogiannopoulos wrote:
> >the client tells the server which certificate it is going to send (so
> >that the server can look it up in a database and tell GNUTLS it is
> >trusted). However, I'd like to avoid this.
> Why do that in an outer protocol?
Because the server is pre-warned and can feed the expected certificate
> From the server side you can access the actual certificate that the
> client had sent, thus you can look it up in a database (say by using
> the sha-1 of the certificate or even something simpler).
Well, according to my experiments, this doesn't work. 8-( Good to know
that it should, though.
> >After that, the peer certificate list is empty, even though the client
> Probably it is empty because the client didn't send any certificate.
Indeed, gnutls_certificate_client_get_request_status returns 0 on the
client side. But if I comment out the set_x509_key_mem call (see
below), the test case with set_x509_trust_mem on the server side begins
to fail. Therefore, I assume that a client certificate is actually
sent to the server.
> How do you set up the client side? If you use the default functions
> most probably the certificate will not be sent if the server doesn't send
> in his certificate request message a list of acceptable CAs (at least
> one CA must have signed that certificate).
my $cred = new Crypt::GNUTLS::CertificateCredentials;
$cred->set_x509_key_mem($client_cert, $client_key, GNUTLS_X509_FMT_PEM);
my $session = new_client Crypt::GNUTLS::Session;
> In that case if you would like to send the client certificate anyway,
> you should use the callback function (don't remember the name right
Will try and report. But it's rather strange that I see a certificate
on the server side even if the client doesn't send one. 8-/ Smells like
Florian Weimer <fweimer at bfk.de>
BFK edv-consulting GmbH http://www.bfk.de/
Durlacher Allee 47 tel: +49-721-96201-1
D-76131 Karlsruhe fax: +49-721-96201-99
More information about the Gnutls-help