[Help-gnutls] Re: X.509 authentication and `GNUTLS_CERT_REQUIRE'

Ludovic Courtès ludo at chbouib.org
Sat May 12 16:56:22 CEST 2007


Simon Josefsson <simon at josefsson.org> writes:

> Oh.  I see, bad theory then.  Hm.  Have you loaded the proper CA cert in
> the server?  The server sends over some information about the known CA
> certs, and if that doesn't match the user's certificate, the client
> won't send its user certificate.

Actually, you were right: my power cable was not quite plugged in.  ;-)
Adding a `set_x509_trust_file ()' call on the server side fixed the

I was not expecting such behavior, though.  Roughly, I had copied my
OpenPGP example (where `GNUTLS_CERT_REQUIRE' worked fine) and replaced
"openpgp" with "x509".  The fact that we need to specify a trust file in
X.509 and not in the OpenPGP case for `GNUTLS_CERT_REQUIRE' to work
creates a slight asymmetry.



More information about the Gnutls-help mailing list