[gnutls-help] Debugging X509 validation

MK mk at cognitivedissonance.ca
Sun Oct 6 21:15:27 CEST 2019

Hiya -- Is there a way to retrieve the gnutls_certificate_credentials_t set on a gnutls_session_t (with gnutls_credentials_set())? 

I'm getting noting but GNUTLS_CERT_UNEXPECTED_OWNER and GNUTLS_CERT_SIGNER_NOT_FOUND when trying to validate a connection to hostname "google.com" using the system trust (fedora 30).  If I do not check the hostname, the error is just SIGNER_NOT_FOUND. If I do not do any validation, the connection to google.com 443 works.

Initially I was using gnutls_session_set_verify_cert() after gnutls_certificate_set_x509_system_trust() on the same gnutls_session_t.  The latter returns ~150 certs.

In order to debug the problem I've switched to gnutls_certificate_set_verify_function() and gnutls_certificate_verify_peers3(), which produces the same result but allows me to get to the session pointer (if I return 0 from the verify func without validating, the connection works). This is a C++ context (using only the C API) so there is always the potential for moving/copying objects to introduce problems, but I've tracked both the gnutls_session_t and associated gnutls_certificate_credentials_t pointers around and they are always what they are supposed to be.

I'm also using valgrind and libasan to catch mm problems but everything seems fine. My guess is that somewhere along the line the trust set on the session pointer (those ~150 certs) are getting thrown away and so nothing can pass validation, but I cannot check that inside the _set_verify_function (except via my own tables mapping session_t's to objects that contain a corresponding _certificate_credentials_t, but this does not prove anything, since it is external to the library).

If I can't get and examine the credentials_t from the session_t, a tip about where to start drilling down to expose the problem with something lower level than _verify_peers3() would be great. 

sincerely mk

More information about the Gnutls-help mailing list