[Help-gnutls] Re: libgnutls: Verifying certificate chains, disconnected
Simon Josefsson
simon at josefsson.org
Thu Oct 18 15:34:25 CEST 2007
Colin Leroy <colin at colino.net> writes:
> Hello,
>
> I'm one of the Claws Mail developers, and started integrating GnuTLS to
> replace OpenSSL as our ssl library. Most of it works fine already, I
> just have a few problems in the certificate verification area.
>
> First thing: if I understand correctly, GnuTLS doesn't ship a list of
> trusted CAs like openSSL. in order to be able to verify certificates
> and present them as valid, I have to do something like
>
> gnutls_certificate_set_x509_trust_file(xcred,
> "/etc/ssl/certs/ca-certificates.crt");
>
> (this file comes from OpenSSL), then
I believe most distributions (e.g., Debian) maintain that file. I
couldn't find a 'ca-certificates.crt' file in openssl 0.9.8e, although I
didn't look very carefully.
> gnutls_certificate_verify_peers2(session, &status);
>
> Then I'm able to get valid certificates from, for example,
> pop.gmail.com.
You'll need to do more than that to verify pop.gmail.com's certificate,
there is an example in the manual:
http://www.gnu.org/software/gnutls/manual/html_node/Verifying-peer_0027s-certificate.html
You may want to look at the source for 'msmtp' and/or 'mpop' utilities,
they use GnuTLS and claims to do proper certificate verification:
http://msmtp.sourceforge.net/ http://mpop.sourceforge.net/
Possibly there should be a simple utility function that does everything,
but this is quite application dependent so it is difficult to implement
it.
Generally, I think that ideally the X.509 stuff should be in another
library than GnuTLS. That would make things more modular and the
interface between TLS the protocol and X.509 the certificate format more
clear.
> The other problem, more important imho than having to set a trust file,
> is that it seems I can do this only when I have a connected session.
> Claws Mail stores known certificates on disk, and has an SSL
> certificates manager UI, in which you can list and display the
> certificates it has stored.
>
> At this step however, there's no connection to the server running, so I
> can only use gnutls_x509_crt_verify(), and that doesn't check the issuer
> certificate(s), so I always have GNUTLS_CERT_INVALID... Whereas using
> OpenSSL, I could use X509_verify_cert(&store) and openssl checks the
> whole chain.
>
> Do you have any pointers for that?
Check the source code for gnutls_certificate_verify_peers2, it contains
what you have to do externally. I don't think if there is a better
interface available.
/Simon
More information about the Gnutls-help
mailing list