[Help-gnutls] client certificate not provided when no common root ca
Rainer Gerhards
rgerhards at gmail.com
Wed May 21 13:42:14 CEST 2008
Hi Nikos,
inline...
On Wed, May 21, 2008 at 1:35 PM, Nikos Mavrogiannopoulos
<nmav at gnutls.org> wrote:
> Rainer Gerhards wrote:
>> Hi list,
>>
>> me again ;) I have a server and client, both with self-signed
>> certificates and no common root CA. My server requests the client's
>> certificate. However, it does not receive one when there is no common
>> root CA. If I add a common root CA to both client and server (but
>> still have self-signed certs NOT signed by the common CA), I receive
>> the client certificate.
>> Is this desired behavior (I think I read it is, but can no longer find
>> the doc page where it is described).
>
> Yes this is the desired behavior. That is because the server requests
> certificates only from the CAs he trusts.
That makes an awful lot of sense ;)
>
>> If so, is there any way around it
>> (e.g. via the certificate retrieve functions)?
>
> 1. Include the client CA certificate into the server trusted CA list
>
> 2. (hack)
> You should use the callback functions in client so that you can send any
> certificate that you like regardless of what the server requests (check
> gnutls-cli code).
I'll go for 2, as I need to support self-signed certs (again, the
fingerprint issue).
Thanks again for your help,
Rainer
More information about the Gnutls-help
mailing list