[gnutls-dev] generate_rdn_seq() collects CA's issuers, why?

Max Kellermann max at duempel.org
Tue Dec 12 18:50:17 CET 2006


I'm currently hunting a tricky problem in my gnutls application; the
client refuses to send any certificates to the server.  I tracked it
all down to generate_rdn_seq(), which does not add the CA's DNs to the
rdn_seq, but adds the CA's issuer's DNs.

Why that?

The CAs are being trusted, not the CA's issuers.  Now my client only
sees the root CA, which did not sign his client certificate (Root CA
-> client CA -> client certificate) - which is why the client will not
send any certificate.

Two experiments resulted in a success (which should not be):

- first, I added another client certificate to the server's trusted
  "CAs", now the client would see his own issuer in the list and sent
  his own certificate

- second, I modified generate_rdn_seq() to call
  _gnutls_x509_crt_get_raw_dn() instead of
  _gnutls_x509_crt_get_raw_issuer_dn() - the same: everything works

If I'm correct and if this is really a bug in gnutls, I believe my
second experiment is a solution for the gnutls bug.


More information about the Gnutls-devel mailing list