[gnutls-help] Query-regarding-client-certificate

Daniel Kahn Gillmor dkg at fifthhorseman.net
Tue Jun 9 06:24:32 CEST 2015


Hi Anil--

On Fri 2015-06-05 01:33:00 -0400, Anil Kumar wrote:

> I am using same key file and certificate file for both server and client.

why?  what are you expecting to gain from this configuration?  If client
and server can share secret key material, you might decide to use a
different handshake mode entirely, like PSK.

> Is this fine ? or I have to generate separate files for client and server ?

It's generally good practice to ensure that secret key material is
limited to the machines that truly need it.

> I am generating the file using certtool binary.
>
> My handshake process is success, but in wireshark capture I can only see
> the server certificate.

In TLS, the client will never send a certificate unless the server asks
for one.

> I have set the required API's at both the ends to verify the certificate,
> but still I am not seeing the client certifcate being exchanged.

what APIs have you invoked?  when does your program invoke them?  being
specific will help.

In particular, have you invoked gnutls_certificate_server_set_request()
on the server side before the handshake is underway?

 http://gnutls.org/manual/gnutls.html#gnutls_005fcertificate_005fserver_005fset_005frequest

 --dkg



More information about the Gnutls-help mailing list