[Help-gnutls] CA cert verification

[Daniel Stenberg]

Hi friends

I have a little problem with my GnuTLS-enabled libcurl and CA cert verifying a 
server. If I build it with OpenSSL instead it succeeds (using the same CA cert 
file I should say).

Can you perhaps point out an obvious flaw in this flow?

gnutls_certificate_allocate_credentials()

gnutls_certificate_set_x509_trust_file() - if a CA file has been provided

gnutls_init()

gnutls_set_default_priority()

gnutls_certificate_type_set_priority()

gnutls_credentials_set() - sets the cred with the CA file, afaik understood
                           it

gnutls_transport_set_ptr() - sets the file descriptor for the socket

gnutls_handshake() - handshake, done non-blocking but I doubt that matters

gnutls_certificate_get_peers()

gnutls_certificate_verify_peers2() - this seems to always return error with 
the 'verify_status' integer (that the second argument points to) set to 66 on 
exit.

How can I proceed to figure out why this happens?

This is using GnuTLS 1.2.0.

Trying 1.0.16 instead, I get verify_status return 130 instead.

This is easily testable using the curl command line tool:

$ curl -v https://gmail.google.com/ --cacert /usr/share/curl/curl-ca-bundle.crt

(the CA cert path above comes from where Debian's curl install puts the CA
cert bundle)

--
         -=- Daniel Stenberg -=- http://daniel.haxx.se -=-
  ech`echo xiun|tr nu oc|sed 'sx\([sx]\)\([xoi]\)xo un\2\1 is xg'`ol