[Help-gnutls] client certificate not provided when no common root ca

Nikos Mavrogiannopoulos nmav at gnutls.org
Wed May 21 13:35:33 CEST 2008

Rainer Gerhards wrote:
> Hi list,
> me again ;) I have a server and client, both with self-signed
> certificates and no common root CA. My server requests the client's
> certificate. However, it does not receive one when there is no common
> root CA. If I add a common root CA to both client and server (but
> still have self-signed certs NOT signed by the common CA), I receive
> the client certificate.
> Is this desired behavior (I think I read it is, but can no longer find
> the doc page where it is described). 

Yes this is the desired behavior. That is because the server requests
certificates only from the CAs he trusts.

> If so, is there any way around it
> (e.g. via the certificate retrieve functions)?

1. Include the client CA certificate into  the server trusted CA list

2. (hack)
You should use the callback functions in client so that you can send any
certificate that you like regardless of what the server requests (check
gnutls-cli code).


More information about the Gnutls-help mailing list