[Help-gnutls] client certificate not provided when no common root ca

Rainer Gerhards rgerhards at gmail.com
Wed May 21 13:42:14 CEST 2008

Hi Nikos,


On Wed, May 21, 2008 at 1:35 PM, Nikos Mavrogiannopoulos
<nmav at gnutls.org> wrote:
> Rainer Gerhards wrote:
>> Hi list,
>> me again ;) I have a server and client, both with self-signed
>> certificates and no common root CA. My server requests the client's
>> certificate. However, it does not receive one when there is no common
>> root CA. If I add a common root CA to both client and server (but
>> still have self-signed certs NOT signed by the common CA), I receive
>> the client certificate.
>> Is this desired behavior (I think I read it is, but can no longer find
>> the doc page where it is described).
> Yes this is the desired behavior. That is because the server requests
> certificates only from the CAs he trusts.

That makes an awful lot of sense ;)

>> If so, is there any way around it
>> (e.g. via the certificate retrieve functions)?
> 1. Include the client CA certificate into  the server trusted CA list
> 2. (hack)
> You should use the callback functions in client so that you can send any
> certificate that you like regardless of what the server requests (check
> gnutls-cli code).

I'll go for 2, as I need to support self-signed certs (again, the
fingerprint issue).

Thanks again for your help,

More information about the Gnutls-help mailing list