[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[gnutls-dev] NO_CERTIFICATE_FOUND if CA list is empty (CVS)

From: Andrew McDonald
Subject: [gnutls-dev] NO_CERTIFICATE_FOUND if CA list is empty (CVS)
Date: Sun Mar 17 21:41:01 2002
User-agent: Mutt/1.3.27i

In the CVS version of gnutls I get a GNUTLS_E_NO_CERTIFICATE_FOUND
error if there are no CA certificates in the credentials list, e.g.
when the certificate file set through
gnutls_certificate_set_x509_trust_file is empty or does not exist.

This is because of the tcas_size == 0 check in
_gnutls_x509_verify_certificate. In 0.3.5 the tcas_size == 0 check in
gnutls_verify_certificate caused it to return GNUTLS_CERT_NOT_TRUSTED.

The 0.3.5 behaviour seems the correct one to me since the user may not
have any CAs and just wants to check the fingerprint of each
certificate by hand, especially in situations where the certificate is
likely to be self-signed.

Just getting rid of the tcas_size == 0 check at the start of
_gnutls_x509_verify_certificate should be enough, since
the later call to gnutls_verify_certificate2 will return/set
GNUTLS_CERT_NOT_TRUSTED if !(tcas_size >= 1). This will also ensure
that the EXPIRED and other flags are set as appropriate.

One line patch attached.

Andrew McDonald
E-mail: address@hidden

Attachment: x509_verify.patch
Description: Text document

Attachment: pgppTpR48h_EY.pgp
Description: PGP signature

reply via email to

[Prev in Thread] Current Thread [Next in Thread]