[Help-gnutls] Re: CA cert verification

[Simon Josefsson]

Daniel Stenberg <address@hidden> writes:

>>> $ curl -v https://gmail.google.com/ --cacert
>>> /usr/share/curl/curl-ca-bundle.crt
>> What does gnutls-cli gives with the same input?
>
> (Still using 1.2.0)
>
> $ gnutls-cli --x509certfile /usr/share/curl/curl-ca-bundle.crt 
> gmail.google.com
> ...
> - Peer's certificate issuer is unknown
> - Peer's certificate is NOT trusted
> ...
>
> So it seems it agrees with what my code ends up thinking... ? Or am I not 
> doing the right gnutls-cli command line?
>
> Any chance this is a problem that has been fixed since this version I use?

Using gnutls-cli from GnuTLS 1.2.6 appears to be able to connect and
verify the peer fine here (see below).

Cheers,
Simon

address@hidden:~$ gnutls-cli --x509cafile /usr/share/curl/curl-ca-bundle.crt 
gmail.google.com
Processed 59 CA certificate(s).
Resolving 'gmail.google.com'...
Connecting to '64.233.183.107:443'...
- Certificate type: X.509
 - Got a certificate list of 2 certificates.

 - Certificate[0] info:
 # The hostname in the certificate matches 'gmail.google.com'.
 # valid since: Wed Jun  8 00:12:57 CEST 2005
 # expires at: Thu Jun  8 00:12:57 CEST 2006
 # fingerprint: 1E:56:99:FD:16:73:C1:95:8F:9F:AD:43:29:F1:93:5A
 # Subject's DN: C=US,ST=California,L=Mountain View,O=Google 
Inc,CN=gmail.google.com
 # Issuer's DN: C=ZA,O=Thawte Consulting (Pty) Ltd.,CN=Thawte SGC CA

 - Certificate[1] info:
 # valid since: Thu May 13 02:00:00 CEST 2004
 # expires at: Tue May 13 01:59:59 CEST 2014
 # fingerprint: 84:84:03:56:10:85:53:ED:9A:CA:60:B5:FA:99:D3:31
 # Subject's DN: C=ZA,O=Thawte Consulting (Pty) Ltd.,CN=Thawte SGC CA
 # Issuer's DN: C=US,O=VeriSign\, Inc.,OU=Class 3 Public Primary Certification 
Authority


- Peer's certificate is trusted
- Version: TLS 1.0
- Key Exchange: RSA
- Cipher: AES 256 CBC
- MAC: SHA
- Compression: NULL
- Handshake was completed

- Simple Client Mode:
...