[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Help-gnutls] Peer certificates not signed by any CA
From: |
Florian Weimer |
Subject: |
[Help-gnutls] Peer certificates not signed by any CA |
Date: |
Tue, 13 Jun 2006 10:31:29 +0200 |
User-agent: |
Mutt/1.5.11+cvs20060403 |
As far as I can tell, GNUTLS discards a peer certificate unless it is
signed by a trusted CA. For SSH-style "leap of faith" authentication,
this is counterproductive. I could add an outer protocol layer in which
the client tells the server which certificate it is going to send (so
that the server can look it up in a database and tell GNUTLS it is
trusted). However, I'd like to avoid this.
Here's how I set up the session on the server side:
my $cred = new Crypt::GNUTLS::CertificateCredentials;
$cred->set_x509_key_mem($server_cert, $server_key, GNUTLS_X509_FMT_PEM);
my $session = new_server Crypt::GNUTLS::Session;
$session->set_default_priority;
$session->kx_set_priority(qw/RSA/);
$session->certificate_server_set_request(GNUTLS_CERT_REQUEST);
$cred->set($session);
After that, the peer certificate list is empty, even though the client
claims to have sent a certificate. If I mark the client certificate as
trusted, using:
$cred->set_x509_trust_mem($client_cert, GNUTLS_X509_FMT_PEM);
the certificate is returned as desired. However, I can't really load
all client certificates into the library because that wouldn't scale.
Any suggestions?
--
Florian Weimer <address@hidden>
BFK edv-consulting GmbH http://www.bfk.de/
Durlacher Allee 47 tel: +49-721-96201-1
D-76131 Karlsruhe fax: +49-721-96201-99
- [Help-gnutls] Peer certificates not signed by any CA,
Florian Weimer <=