[gnutls-help] GnuTLS HTTP server

Stephen Nightingale stephen.nightingale at nist.gov
Fri Jan 24 16:12:00 CET 2014

On 1/23/2014 12:15 PM, Nikos Mavrogiannopoulos wrote:
>> So when I start gnutls-serv as an http server, where is it serving pages
>> from?  <snip>
> gnutls-serv is a debugging server, not a proper web server. For a web
> server that uses gnutls you may want to check mod_gnutls and nxweb.

Okay.  I'm thinking to run the pygnutls twisted-server, and add the http 
callback instead, so as to get more programmatic control than Apache allows.

>> I note also that when requesting 'disable-client-cert', gnutls-serv
>> still complains that no client certificate was furnished.
> Could you elaborate on the issue?

I have gnutls-serv set up as shown below:

    had4.antd [72]{.../tlslite-0.4.6/tests}-> more gnutlsserv.sh
    #3 /bin/sh
    gnutls-serv --port 4461 --disable-client-cert --http --x509keyfile 
fourkey.pem --
    x509certfile fourcert.pem

When connecting from the peer, the server spits out the following:

    had4.antd [73]{.../tlslite-0.4.6/tests}->
    * connection from, port 50551
    - Certificate type: X.509
    No certificates found!
    - Could not verify certificate (err: The peer did not send any 
    - Version: TLS1.1
    - Key Exchange: RSA
    - Cipher: 3DES-CBC
    - MAC: SHA1
    - Compression: NULL

So it complains about 'no certificates found' and gives a Could not 
verify error message, even though I have the --disable-client-cert 
option enabled.  This is identical to the behavior experienced when no 
client cert flag is set.

Ah! but when the --require-cert flag is set, this is what happens:

    had4.antd [82]{.../tlslite-0.4.6/tests}-> more ./gnutlsserv.sh
    #3 /bin/sh
    gnutls-serv --port 4461 --require-cert --http --x509keyfile 
fourkey.pem --x509cer
    tfile fourcert.pem
    had4.antd [83]{.../tlslite-0.4.6/tests}-> Error in handshake
    Error: The peer did not send any certificate.

So it looks like in the disable and no flag cases, the server complains 
but completes the connection, however in the require-cert case, no 
connection is made.  So I guess the message is just spurious noise.


Stephen Nightingale.

More information about the Gnutls-help mailing list