help-gnutls
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Help-gnutls] Re: CA cert verification


From: Daniel Stenberg
Subject: [Help-gnutls] Re: CA cert verification
Date: Wed, 24 Aug 2005 09:33:13 +0200 (CEST)

On Wed, 24 Aug 2005, Simon Josefsson wrote:

address@hidden:~$ gnutls-cli --x509cafile /usr/share/curl/curl-ca-bundle.crt gmail.google.com

The key difference turns out to be:

  gnutls_certificate_set_verify_flags(cred,
                                      GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT);

Which gnutls-cli sets and I didn't. When I use this, I can successfully verify this server's certificate!

Perhaps the gnutls_certificate_verify_peers2() description in the docs could hint about the possibility that this is needed?

Another little nit that is slightly related:

gnutls-cli uses the gnutls_certificate_verify_peers() function (alias, not the *2 version), there are numerous references to this function in the docs but there's no description for it... I take it the gnutls_certificate_verify_peers2() is the one we should be using, but it would probably be suitable if gnutls-cli was switched to use it and if the references in the docs were updated as well.

--
         -=- Daniel Stenberg -=- http://daniel.haxx.se -=-
  ech`echo xiun|tr nu oc|sed 'sx\([sx]\)\([xoi]\)xo un\2\1 is xg'`ol




reply via email to

[Prev in Thread] Current Thread [Next in Thread]