[Help-gnutls] Re: libgnutls: Verifying certificate chains, disconnected

Colin Leroy colin at colino.net
Fri Oct 19 09:30:29 CEST 2007


On Thu, 18 Oct 2007 15:34:25 +0200, Simon Josefsson wrote:

Hi,

> I believe most distributions (e.g., Debian) maintain that file.  I
> couldn't find a 'ca-certificates.crt' file in openssl 0.9.8e,
> although I didn't look very carefully.

Ah, you're right, it's provided by another package, ca-certificates.

> > gnutls_certificate_verify_peers2(session, &status);
> >
> > Then I'm able to get valid certificates from, for example,
> > pop.gmail.com.  
> 
> You'll need to do more than that to verify pop.gmail.com's
> certificate, there is an example in the manual:

Indeed, there's also the validity date and the hostname to check... I
forgot those :)

> > At this step however, there's no connection to the server running,
> > so I can only use gnutls_x509_crt_verify(), and that doesn't check
> > the issuer certificate(s), so I always have GNUTLS_CERT_INVALID...
> > Whereas using OpenSSL, I could use X509_verify_cert(&store) and
> > openssl checks the whole chain.
> >
> > Do you have any pointers for that?   
> 
> Check the source code for gnutls_certificate_verify_peers2, it
> contains what you have to do externally.  I don't think if there is a
> better interface available.

I've looked at it, but this code seems really closely interlaced with
things done at session start, and I couldn't figure out how to get the
certificates list starting from a gnutls_x509_crt...
-- 
Colin





More information about the Gnutls-help mailing list