[gnutls-devel] GnuTLS | Solaris (OpenIndiana) parameter handling problem in certtool (#1916)

Read-only notification of GnuTLS library development activities gnutls-devel at lists.gnutls.org
Thu Jul 16 12:34:46 CEST 2026



Issue created by Thomas Dreibholz: https://gitlab.com/gnutls/gnutls/-/work_items/1916



## Description of problem:

I am testing with platform-independent scripts from the [X.509-Tools](https://www.nntb.no/~dreibh/system-tools/#x.509-tools) (Git: [https://github.com/dreibh/system-tools](https://github.com/dreibh/system-tools)), which tests CA hierarchies and certificates under different operating systems (multiple Linux distributions, FreeBSD, NetBSD, OpenBSD, MacOS). Background is to make sure that the CA/certificate setup works on all systems. Currently, I am experimenting with Solaris ([OpenIndiana](https://www.openindiana.org/), 2026.04 version).

Under Solaris, `certtool --verify` fails:

```
$ certtool --verify --verify-profile=future --load-ca-certificate=PATH_TO_CA.crt  --infile=PATH_TO_USER_CERT.crt
certtool: ambiguous option -- verify
```

The same certtool call works fine under Linux, the BSDs, and MacOS.

The problems seems to be the strict handling of long options under Solaris: certtool has multiple options with prefix `--verify`:
```
   -e, --verify-chain         Verify a PEM encoded certificate chain
       --verify               Verify a PEM encoded certificate (chain) against a trusted set
       --verify-hostname=str  Specify a hostname to be used for certificate chain verification
       --verify-email=str     Specify a email to be used for certificate chain verification
                                - prohibits the option 'verify-hostname'
       --verify-purpose=str   Specify a purpose OID to be used for certificate chain verification
       --verify-allow-broken  Allow broken algorithms, such as MD5 for verification
       --verify-profile=str   Specify a security level profile to be used for verification
```

A solution could be to give the option a different name (e.g. `--verify-with-ca`), or a short option (`-E`). At the moment, it is not possible to verify a chain with a CA certificate under Solaris with GnuTLS certtool, i.e. an important feature is broken under Solaris.

## Version of gnutls used:

3.8.13

```
(x509) nornetpp at openindiana:~/src/system-tools/src/X509$ uname -a
SunOS openindiana 5.11 illumos-2b7388bd44 i86pc i386 i86pc
(x509) nornetpp at openindiana:~/src/system-tools/src/X509$ certtool --version
certtool 3.8.13
```

## Distributor of gnutls (e.g., Ubuntu, Fedora, RHEL)

OpenIndiana

```
(x509) nornetpp at openindiana:~/src/system-tools/src/X509$ pkg publisher
PUBLISHER                   TYPE     STATUS P LOCATION
openindiana.org              origin   online F https://pkg.openindiana.org/hipster/
localhostoih                origin   online F http://sfe.opencsw.org/localhostoih/
```

-- 
Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/work_items/1916
You're receiving this email because of your account on gitlab.com. Unsubscribe from this thread: https://gitlab.com/-/namespace/17175643/sent_notifications/5-ed0vakpmjgqlq8n9ew4skobyw-a84t7/unsubscribe | Manage all notifications: https://gitlab.com/-/profile/notifications | Help: https://gitlab.com/help


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnutls-devel/attachments/20260716/9170e8cb/attachment-0001.html>


More information about the Gnutls-devel mailing list