[Help-gnutls] Re: X.509 authentication and `GNUTLS_CERT_REQUIRE'

Simon Josefsson simon at josefsson.org
Sun May 13 12:30:25 CEST 2007


ludo at chbouib.org (Ludovic Courtès) writes:

> Hi,
>
> Simon Josefsson <simon at josefsson.org> writes:
>
>> Oh.  I see, bad theory then.  Hm.  Have you loaded the proper CA cert in
>> the server?  The server sends over some information about the known CA
>> certs, and if that doesn't match the user's certificate, the client
>> won't send its user certificate.
>
> Actually, you were right: my power cable was not quite plugged in.  ;-)
> Adding a `set_x509_trust_file ()' call on the server side fixed the
> problem.

Ah, ok.

> I was not expecting such behavior, though.  Roughly, I had copied my
> OpenPGP example (where `GNUTLS_CERT_REQUIRE' worked fine) and replaced
> "openpgp" with "x509".  The fact that we need to specify a trust file in
> X.509 and not in the OpenPGP case for `GNUTLS_CERT_REQUIRE' to work
> creates a slight asymmetry.

I think the asymmetry can be traced back to the protocols.  Certificate
requests with X.509 requires that the user cert matches the CA cert, but
with OpenPGP such a check isn't applicable.

I don't know whether it is OK for a client to send a X.509 client cert
that doesn't match one of the authorities sent by the server.  Maybe
that should be possible?

/Simon





More information about the Gnutls-help mailing list