[gnutls-dev] NO_CERTIFICATE_FOUND if CA list is empty (CVS)

gnutls-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[gnutls-dev] NO_CERTIFICATE_FOUND if CA list is empty (CVS)

From:	Andrew McDonald
Subject:	[gnutls-dev] NO_CERTIFICATE_FOUND if CA list is empty (CVS)
Date:	Sun Mar 17 21:41:01 2002
User-agent:	Mutt/1.3.27i

In the CVS version of gnutls I get a GNUTLS_E_NO_CERTIFICATE_FOUND
error if there are no CA certificates in the credentials list, e.g.
when the certificate file set through
gnutls_certificate_set_x509_trust_file is empty or does not exist.

This is because of the tcas_size == 0 check in
_gnutls_x509_verify_certificate. In 0.3.5 the tcas_size == 0 check in
gnutls_verify_certificate caused it to return GNUTLS_CERT_NOT_TRUSTED.

The 0.3.5 behaviour seems the correct one to me since the user may not
have any CAs and just wants to check the fingerprint of each
certificate by hand, especially in situations where the certificate is
likely to be self-signed.

Just getting rid of the tcas_size == 0 check at the start of
_gnutls_x509_verify_certificate should be enough, since
the later call to gnutls_verify_certificate2 will return/set
GNUTLS_CERT_NOT_TRUSTED if !(tcas_size >= 1). This will also ensure
that the EXPIRED and other flags are set as appropriate.

One line patch attached.


Andrew
-- 
Andrew McDonald
E-mail: address@hidden
http://www.mcdonald.org.uk/andrew/

x509_verify.patch
Description: Text document

pgppTpR48h_EY.pgp
Description: PGP signature

[Prev in Thread]

Current Thread

[Next in Thread]

[gnutls-dev] NO_CERTIFICATE_FOUND if CA list is empty (CVS), Andrew McDonald <=
- Re: [gnutls-dev] NO_CERTIFICATE_FOUND if CA list is empty (CVS), Nikos Mavroyanopoulos, 2002/03/17

Prev by Date: Re: [gnutls-dev] gaa
Next by Date: Re: [gnutls-dev] NO_CERTIFICATE_FOUND if CA list is empty (CVS)
Previous by thread: [gnutls-dev] gaa
Next by thread: Re: [gnutls-dev] NO_CERTIFICATE_FOUND if CA list is empty (CVS)
Index(es):
- Date
- Thread