[Help-gnutls] libgnutls: Verifying certificate chains, disconnected
Colin Leroy
colin at colino.net
Thu Oct 18 09:47:10 CEST 2007
Hello,
I'm one of the Claws Mail developers, and started integrating GnuTLS to
replace OpenSSL as our ssl library. Most of it works fine already, I
just have a few problems in the certificate verification area.
First thing: if I understand correctly, GnuTLS doesn't ship a list of
trusted CAs like openSSL. in order to be able to verify certificates
and present them as valid, I have to do something like
gnutls_certificate_set_x509_trust_file(xcred,
"/etc/ssl/certs/ca-certificates.crt");
(this file comes from OpenSSL), then
gnutls_certificate_verify_peers2(session, &status);
Then I'm able to get valid certificates from, for example,
pop.gmail.com.
The other problem, more important imho than having to set a trust file,
is that it seems I can do this only when I have a connected session.
Claws Mail stores known certificates on disk, and has an SSL
certificates manager UI, in which you can list and display the
certificates it has stored.
At this step however, there's no connection to the server running, so I
can only use gnutls_x509_crt_verify(), and that doesn't check the issuer
certificate(s), so I always have GNUTLS_CERT_INVALID... Whereas using
OpenSSL, I could use X509_verify_cert(&store) and openssl checks the
whole chain.
Do you have any pointers for that?
Thanks a lot in advance,
--
Colin
More information about the Gnutls-help
mailing list