Re: Loading credentials in verify callback just as needed ?

gnutls-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Loading credentials in verify callback just as needed ?

From:	Nikos Mavrogiannopoulos
Subject:	Re: Loading credentials in verify callback just as needed ?
Date:	Wed, 29 Aug 2012 13:30:15 +0200

On Tue, Aug 28, 2012 at 12:23 PM, Tim Ruehsen <address@hidden> wrote:
> Hi, maybe you can help me or point me to the right direction.
>
> My problem:
> GnuTLS initialization - as used in tools like wget - loads ALL .pem files from
> e.g. /etc/ssl/certs/. This takes 'ages' on slow computers (there are hundreds
> of certificates).
> I can't believe that all these certs are needed to handshake one single HTTPS
> connection.

In the current Internet trust situation most probably you need all of those.

> I am looking for a way to just load the needed certs (very likely with the
> verification callback function).
> The current code is mainly taken from the GnuTLS example client code.
> It's initialization looks like
> gnutls_global_init();
> gnutls_certificate_allocate_credentials(&credentials);
> gnutls_certificate_set_verify_function(credentials,_verify_certificate_callback);
>   * now loading all files in ca_directory by calling
> gnutls_certificate_set_x509_trust_file(credentials, fname,
> GNUTLS_X509_FMT_PEM);

You may also use gnutls_certificate_set_x509_system_trust() for this purpose.

> To reduce startup load, my idea is leaving away
>         gnutls_certificate_set_x509_trust_file()
> while initialization and call it right before
>         gnutls_certificate_verify_peers2()
> while handshaking.

I'm surprised that this function takes long for you. How many
certificates do you have an which version of gnutls is that?

> But how do I know which files to load right here.
> There must be some way to find that out which files/certs are needed.
> As far as I know, OpenSSL is doing something similar using some kind of hashes
> (c_rehash).
> Does anyone can help ?

GnuTLS doesn't have something similar to that, like loading the CA
file on demand.
You could of course simulate that functionality by using the
certificate's authority key identifier, or the issuer's name. What I'd
do if loading time was an issue, is to delegate verification to a
special process that has the CAs loaded already.

regards,
Nikos

[Prev in Thread]

Current Thread

[Next in Thread]

Loading credentials in verify callback just as needed ?, Tim Ruehsen, 2012/08/28
- Re: Loading credentials in verify callback just as needed ?, Nikos Mavrogiannopoulos <=
  - Re: Loading credentials in verify callback just as needed ?, Tim Ruehsen, 2012/08/30
    - Re: Loading credentials in verify callback just as needed ?, Nikos Mavrogiannopoulos, 2012/08/30
    - Re: Loading credentials in verify callback just as needed ?, Tim Ruehsen, 2012/08/31
    - Re: Loading credentials in verify callback just as needed ?, B. Scott Michel, 2012/08/31
    - Re: [WARNING: SPOOFED E-MAIL--Non-Aerospace Sender] Re: Loading credentials in verify callback just as needed ?, B. Scott Michel, 2012/08/31

Prev by Date: Loading credentials in verify callback just as needed ?
Next by Date: [PATCH] Heratbeat support implemented during GSoC
Previous by thread: Loading credentials in verify callback just as needed ?
Next by thread: Re: Loading credentials in verify callback just as needed ?
Index(es):
- Date
- Thread