[gnutls-help] Certificate callback questions

Lavrentiev, Anton (NIH/NLM/NCBI) [C] lavr at ncbi.nlm.nih.gov
Wed Apr 22 02:31:56 CEST 2015 

Hi,

I've been using basic GnuTLS features until a recent fallout with certificate-based connection authentication prompted
me to look into more advanced techniques such as callbacks.  I would appreciate if somebody could answer these questions:

1. It's unclear to me why "gnutls_certificate_set_verify_function()" is a function of credentials rather than a session:
   I assumed that the same credentials added to a session via "gnutls_credentials_set()" can be reused.  Which means that
   certificate verification will be done on any such session rather than selected on a per-session basis.  I think my
   understanding is incomplete (yet API documentation does not provide any insight here).

2. There's something odd with the description of the "gnutls_certificate_set_retrieve_function*()" API:

   callbacks are documented as:
   int (*callback)(gnutls_session_t, const gnutls_datum_t* req_ca_dn,...) 

   but parameter descriptions that follow (for either call) refer to nonexistent name "req_ca_cert".  I assume "req_ca_dn"
   was meant to be there, but I'm not sure.  Please confirm.

   Also, is there the word "key" missing after "public" in the following description:
   "pcert should contain a single certificate and public or a list of them."

3. Can you please explain this phrase to me: "Contains a list with the CA names that the server considers trusted.
   Normally we should send a certificate that is signed by one of these CAs."  Is this a requirement?  In other
   words, if my server tells me it wants a GoDaddy's issued cert, and I send a Digicert's one instead, then I should
   expect the server to drop the connection on me?

4. Is there a way to pass some context to a callback that is set with "gnutls_certificate_set_retrieve_function*()"?
   I.e. similar to "gnutls_session_set_ptr()" but for credentials.

5. If there is a certificate set in credentials (e.g. such as with "gnutls_certificate_set_x509_simple_pkcs12_file()")
   along with a certificate retrieval callback, what wins?

I apologize if my questions are naïve but I would appreciate any help I can get on this list.

Thank you,

Anton Lavrentiev
Contractor NIH/NLM/NCBI

More information about the Gnutls-help mailing list