[gnutls-help] openldap+gnutls - unable to get TLS client DN

pascal Fautrero pascal.fautrero at crdp.ac-versailles.fr
Mon Jul 22 23:27:18 CEST 2013


yes, you are right, it was my fault. My client certificate (self-signed) was not included in the list of trusted CA in the master... 

----- Mail original -----
> As far as I understand from your description the client never sent a
> certificate even if you have configured it to send one. Is that
> correct?
> > On the client side, If I look at _gnutls_handshake_client, during
> > the same
> > handshake, only STATE0 is executed. More, gnutls_handshake function
> > is
> > executed only once. STATE7, responsible of sending client
> > certificate is
> > never executed. Is it a normal situation to see a TLS handshake with
> > so few
> > STATE executed ? STATE2 and STATE3 shouldn't be catched ?
> So I assume that there is a certificate configured. In that case is
> the authority of the certificate trusted by the server? In TLS, the
> server sends to the client its trusted authorities and the client
> replies with a certificate from that list. If its certificate is not
> from this trusted list gnutls will not send any (different versions
> may have different behavior - which one do you try with?).

ok, that's it ! I just have re-re-read the gnutls doc and it is clearly written !

Thank you very much :)


 You can
> check the actual conversation using wireshark, and see in the server's
> certificate request message the list of trusted authorities. If you
> see no certificate request message from the server, it means that the
> server is configured not to request a certificate from the client.
> regards,
> Nikos

Pascal Fautrero 
DTIC - Mission TICE 
CRDP de Versailles - 2 rue Pierre Bourdan - 78160 Marly-le-Roi 

More information about the Gnutls-help mailing list