[Help-gnutls] Peer certificates not signed by any CA

[Florian Weimer]

As far as I can tell, GNUTLS discards a peer certificate unless it is
signed by a trusted CA.  For SSH-style "leap of faith" authentication,
this is counterproductive.  I could add an outer protocol layer in which
the client tells the server which certificate it is going to send (so
that the server can look it up in a database and tell GNUTLS it is
trusted).  However, I'd like to avoid this.

Here's how I set up the session on the server side:

    my $cred = new Crypt::GNUTLS::CertificateCredentials;
    $cred->set_x509_key_mem($server_cert, $server_key, GNUTLS_X509_FMT_PEM);

    my $session = new_server Crypt::GNUTLS::Session;
    $session->set_default_priority;
    $session->kx_set_priority(qw/RSA/);
    $session->certificate_server_set_request(GNUTLS_CERT_REQUEST);
    $cred->set($session);

After that, the peer certificate list is empty, even though the client
claims to have sent a certificate.  If I mark the client certificate as
trusted, using:

    $cred->set_x509_trust_mem($client_cert, GNUTLS_X509_FMT_PEM);

the certificate is returned as desired.  However, I can't really load
all client certificates into the library because that wouldn't scale.

Any suggestions?

-- 
Florian Weimer                <address@hidden>
BFK edv-consulting GmbH       http://www.bfk.de/
Durlacher Allee 47            tel: +49-721-96201-1
D-76131 Karlsruhe             fax: +49-721-96201-99