[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Help-gnutls] CA cert verification
From: |
Daniel Stenberg |
Subject: |
Re: [Help-gnutls] CA cert verification |
Date: |
Tue, 23 Aug 2005 23:25:27 +0200 (CEST) |
On Tue, 23 Aug 2005, Nikos Mavrogiannopoulos wrote:
Thanks for responding!
gnutls_certificate_set_x509_trust_file() - if a CA file has been provided
You may want to check the return value to see how many certificates were
loaded.
It returns 59.
And incidently:
$ grep -c "BEGIN CERTIFICATE" /usr/share/curl/curl-ca-bundle.crt
59
gnutls_certificate_verify_peers2() - this seems to always return error with
the 'verify_status' integer (that the second argument points to) set to 66
on exit.
What is the error number returned? The status is garbage if this function
returns an error code.
It returns zero. It bails out in case it returns a < 0 value.
The sequence looks good. It is just like gnutls-cli, so the problem is
somewhere in the details.
$ curl -v https://gmail.google.com/ --cacert
/usr/share/curl/curl-ca-bundle.crt
What does gnutls-cli gives with the same input?
(Still using 1.2.0)
$ gnutls-cli --x509certfile /usr/share/curl/curl-ca-bundle.crt gmail.google.com
...
- Peer's certificate issuer is unknown
- Peer's certificate is NOT trusted
...
So it seems it agrees with what my code ends up thinking... ? Or am I not
doing the right gnutls-cli command line?
Any chance this is a problem that has been fixed since this version I use?
The same verifying command line, using the openssl tool I believe would be:
$ openssl s_client -connect gmail.google.com:443 -CAfile
/usr/share/curl/curl-ca-bundle.crt
It reports success.
--
-=- Daniel Stenberg -=- http://daniel.haxx.se -=-
ech`echo xiun|tr nu oc|sed 'sx\([sx]\)\([xoi]\)xo un\2\1 is xg'`ol
- [Help-gnutls] CA cert verification, Daniel Stenberg, 2005/08/22
- Re: [Help-gnutls] CA cert verification, Nikos Mavrogiannopoulos, 2005/08/23
- Re: [Help-gnutls] CA cert verification,
Daniel Stenberg <=
- Re: [Help-gnutls] CA cert verification, Daniel Stenberg, 2005/08/23
- [Help-gnutls] Re: CA cert verification, Simon Josefsson, 2005/08/23
- [Help-gnutls] Re: CA cert verification, Daniel Stenberg, 2005/08/23
- [Help-gnutls] Re: CA cert verification, Daniel Stenberg, 2005/08/24
- [Help-gnutls] Re: CA cert verification, Simon Josefsson, 2005/08/24
- Re: [Help-gnutls] Re: CA cert verification, Martin Lambers, 2005/08/24
- Re: [Help-gnutls] Re: CA cert verification, Nikos Mavrogiannopoulos, 2005/08/24
- Re: [Help-gnutls] Re: CA cert verification, Nikos Mavrogiannopoulos, 2005/08/24
- [Help-gnutls] Re: CA cert verification, Simon Josefsson, 2005/08/25