nOOb Error : No certificates found!

Nikos Mavrogiannopoulos nmav at gnutls.org
Wed Apr 14 14:39:27 CEST 2010 

On Wed, Apr 14, 2010 at 2:05 PM, gonzagueddr <gonzagueddr at yahoo.fr> wrote:
>
>> In the creation of the server keys you specifically asked for a tls
>> www server, thus it is normal for gnutls to detect a violation.
>
> Yes, but i also tried "gnutls-serv --http", so it supose to act as an http
> server isn't it ?, and using a netbrowser to get https://domain.org:22222/
> returns the same error from the server ("No certificates found!")

Yes  the --http runs a test https server. However the error you
mention is a non fatal error.
The TLS handshake completes and you can view the page. It is legal for
a client to not
send any certificate to the server.

> That's it : stream an mp3 over https using vlc , so the vlc server's command
> is "vlc --sout-http-cert="/path/servercert.pem"
> --sout-http-key="/path/serverkey.pem" --sout-http-ca="/path/cacert.pem
> --sout '#standard{access=https,mux=ts,dst=192.168.1.15:22222/test.mp3}'
> my.mp3" ( vlc server must be run with the ca, cert and key files, or it
> returns fatal error (cannot set certificate chain or private key))
> And when i open the stream, vlc server returns  "TLS handshake error: The
> peer did not send any certificate", while the client returns "TLS handshake
> error: Error in the push function".
> I've been said on the vlc's forum that the CA file must be present on the
> client's machine, so i've copy/paste the cacert.pem to ca-certificates.crt
> (if this file is not present, client returns a warning (can not add
> credidential x509 ), and then the same TLS handshake error
>
> If i run the vlc server without the "--sout-http-ca", client returns :
>
> gnutls error: TLS session: access denied
> gnutls error: Certificate could not be verified
> gnutls error: Certificate's signer was not found
> main error: TLS client session handshake error

Here the client cannot verify the server's certificate. You have
to tell how he's going to find it.
In http://mailman.videolan.org/pipermail/vlc/2006-January/012777.html
they mention .vlc/ssl/certs directory as a place to put the
CA certifcate.

> So specifying those 3 files (ca, cert and key) on the server and the ca on
> the client gave me the less errors ...

Most probably  specifying the http-ca option forces the sever to require
for a certifcate. You might get more information at a vlc related list
though. Your issue has mostly to do with how vlc uses gnutls that I
don't really know much of.

regards,
Nikos

More information about the Gnutls-help mailing list