[Help-gnutls] Peer certificates not signed by any CA
Florian Weimer
fweimer at bfk.de
Fri Jun 4 10:49:51 CEST 2010
* Nikos Mavrogiannopoulos:
>> May I assume that the first certificate returned by
>> gnutls_certifcate_get_peers contains public key material which
>> actually corresponds to the private key material which was used to
>> establish the ssession?
> No. That would be the last certificate in the chain.
But the documentation says:
Get the peer's raw certificate (chain) as sent by the peer. These
certificates are in raw format (DER encoded for X.509). In case of
a X.509 then a certificate list may be present. The first
certificate in the list is the peer's certificate, following the
issuer's certificate, then the issuer's issuer etc.
So which one is correct? 8-)
--
Florian Weimer <fweimer at bfk.de>
BFK edv-consulting GmbH http://www.bfk.de/
Kriegsstraße 100 tel: +49-721-96201-1
D-76133 Karlsruhe fax: +49-721-96201-99
More information about the Gnutls-help
mailing list