[gnutls-help] Couple of questions about gnutls lib usage.

Nikos Mavrogiannopoulos n.mavrogiannopoulos at gmail.com
Sun Sep 22 23:35:27 CEST 2013

On 09/20/2013 05:35 PM, Jonathan Roudiere wrote:
> Hello everyone,
> I'm porting a software from OpenSSL to GnuTLS, after having read the
> (great!) gnutls documentation I still have a couple of questions.
> - there is a way to retrieve certificates or pkey from a credential struct ?
> (a bit like gnutls_certificate_get_ours but for a
> certificate_credentials structure).

Unfortunately no. This was intentional to allow rewrites of the
internals of the certificate credentials structure.

> - In case where I set a certificate and a key (through
> gnutls_certificate_set_x509_key*)
> in a credential struct there is a function/way to add certificates to
> provide them with the first
> certificate (to build chain) ?

I don't quite understand the question. You mean if you provide an
incomplete chain whether you can fill it in later? If that is the
question, that isn't possible.

> - With dh is a new key is generated for every new ssl session ? or
> only once for the
> current cred and parameter pair ? In this latter case can I
> change/control this behavior ?

A new key is generated on every session to maintain the perfect forward
secrecy requirements. You cannot change that, but why would you want to
do it differently? If performance is an issue then you could use
specially crafted groups (as generated by certtool) that use a prime of
a certain type that allows for keys of smaller size (and thus much
faster exponentiation).


More information about the Gnutls-help mailing list