[Help-gnutls] Peer certificates not signed by any CA
Nikos Mavrogiannopoulos
nmav at gnutls.org
Fri Jun 4 13:40:25 CEST 2010
On Fri, Jun 4, 2010 at 10:49 AM, Florian Weimer <fweimer at bfk.de> wrote:
> * Nikos Mavrogiannopoulos:
>
>>> May I assume that the first certificate returned by
>>> gnutls_certifcate_get_peers contains public key material which
>>> actually corresponds to the private key material which was used to
>>> establish the ssession?
>
>> No. That would be the last certificate in the chain.
>
> But the documentation says:
>
> Get the peer's raw certificate (chain) as sent by the peer. These
> certificates are in raw format (DER encoded for X.509). In case of
> a X.509 then a certificate list may be present. The first
> certificate in the list is the peer's certificate, following the
> issuer's certificate, then the issuer's issuer etc.
> So which one is correct? 8-)
The documentation is correct. Did I really say the thing above? :)
regards,
Nikos
More information about the Gnutls-help
mailing list