[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Help-gnutls] Re: X.509 authentication and `GNUTLS_CERT_REQUIRE'
From: |
Simon Josefsson |
Subject: |
[Help-gnutls] Re: X.509 authentication and `GNUTLS_CERT_REQUIRE' |
Date: |
Sun, 13 May 2007 12:30:25 +0200 |
User-agent: |
Gnus/5.110007 (No Gnus v0.7) Emacs/22.0.95 (gnu/linux) |
address@hidden (Ludovic Courtès) writes:
> Hi,
>
> Simon Josefsson <address@hidden> writes:
>
>> Oh. I see, bad theory then. Hm. Have you loaded the proper CA cert in
>> the server? The server sends over some information about the known CA
>> certs, and if that doesn't match the user's certificate, the client
>> won't send its user certificate.
>
> Actually, you were right: my power cable was not quite plugged in. ;-)
> Adding a `set_x509_trust_file ()' call on the server side fixed the
> problem.
Ah, ok.
> I was not expecting such behavior, though. Roughly, I had copied my
> OpenPGP example (where `GNUTLS_CERT_REQUIRE' worked fine) and replaced
> "openpgp" with "x509". The fact that we need to specify a trust file in
> X.509 and not in the OpenPGP case for `GNUTLS_CERT_REQUIRE' to work
> creates a slight asymmetry.
I think the asymmetry can be traced back to the protocols. Certificate
requests with X.509 requires that the user cert matches the CA cert, but
with OpenPGP such a check isn't applicable.
I don't know whether it is OK for a client to send a X.509 client cert
that doesn't match one of the authorities sent by the server. Maybe
that should be possible?
/Simon
- [Help-gnutls] X.509 authentication and `GNUTLS_CERT_REQUIRE', Ludovic Courtès, 2007/05/11
- [Help-gnutls] Re: X.509 authentication and `GNUTLS_CERT_REQUIRE', Simon Josefsson, 2007/05/11
- [Help-gnutls] Re: X.509 authentication and `GNUTLS_CERT_REQUIRE', Ludovic Courtès, 2007/05/11
- [Help-gnutls] Re: X.509 authentication and `GNUTLS_CERT_REQUIRE', Simon Josefsson, 2007/05/12
- [Help-gnutls] Re: X.509 authentication and `GNUTLS_CERT_REQUIRE', Ludovic Courtès, 2007/05/12
- [Help-gnutls] Re: X.509 authentication and `GNUTLS_CERT_REQUIRE',
Simon Josefsson <=
- [Help-gnutls] Re: X.509 authentication and `GNUTLS_CERT_REQUIRE', Ludovic Courtès, 2007/05/14
- [Help-gnutls] Re: X.509 authentication and `GNUTLS_CERT_REQUIRE', Simon Josefsson, 2007/05/14
- [Help-gnutls] Re: X.509 authentication and `GNUTLS_CERT_REQUIRE', Ludovic Courtès, 2007/05/14