[Help-gnutls] Peer verification
Michael Bell
michael.bell at cms.hu-berlin.de
Fri Nov 23 12:03:08 CET 2007
Hi,
I try to get a correct validation for a https server. My problem is that
certtool says that everthing is find and gnutls-cli fails.
Configuration:
- server cert + intermediate ca + root ca
- server sends only the server cert and the intermediate CA
- server sends additionally several other CA certs
- server does not send the root CA cert
- CA file with both CA certs
certtool:
- certtool -e --infile /tmp/certs.pem
- certs.pem contains all three certificates
- certtool verifies all certs with "Verification output: Verified."
gnutls-cli:
- gnutls-cli --x509cafile /tmp/calist.pem kalender.cms.hu-berlin.de
- tested with all certs, only the CAs and only the root in calist.pem
- all certificates in calist.pem are correctly detected
- all certs send by the server are correctly recognized
- nevertheless "Peer's certificate is NOT trusted"
Any ideas what's the problem? Browsers can verify the server correctly
but perhaps the missing CA cert in the send cert list of the server is a
problem.
FYI I found this problem while debugging opensync/libsoup which uses gnutls.
Thanks in advance
Michael
--
_______________________________________________________________
Michael Bell Humboldt-Universitaet zu Berlin
Tel.: +49 (0)30-2093 2482 ZE Computer- und Medienservice
Fax: +49 (0)30-2093 2704 Unter den Linden 6
michael.bell at cms.hu-berlin.de D-10099 Berlin
_______________________________________________________________
X.509 CA Certificates / Wurzelzertifikate
http://ra.pki.hu-berlin.de
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 5664 bytes
Desc: S/MIME Cryptographic Signature
URL: </pipermail/attachments/20071123/8e8e77eb/attachment.bin>
More information about the Gnutls-help
mailing list