[gnutls-devel] GnuTLS | Solaris (OpenIndiana) parameter handling problem in certtool (#1916)
Read-only notification of GnuTLS library development activities
gnutls-devel at lists.gnutls.org
Thu Jul 16 12:34:46 CEST 2026
Issue created by Thomas Dreibholz: https://gitlab.com/gnutls/gnutls/-/work_items/1916
## Description of problem:
I am testing with platform-independent scripts from the [X.509-Tools](https://www.nntb.no/~dreibh/system-tools/#x.509-tools) (Git: [https://github.com/dreibh/system-tools](https://github.com/dreibh/system-tools)), which tests CA hierarchies and certificates under different operating systems (multiple Linux distributions, FreeBSD, NetBSD, OpenBSD, MacOS). Background is to make sure that the CA/certificate setup works on all systems. Currently, I am experimenting with Solaris ([OpenIndiana](https://www.openindiana.org/), 2026.04 version).
Under Solaris, `certtool --verify` fails:
```
$ certtool --verify --verify-profile=future --load-ca-certificate=PATH_TO_CA.crt --infile=PATH_TO_USER_CERT.crt
certtool: ambiguous option -- verify
```
The same certtool call works fine under Linux, the BSDs, and MacOS.
The problems seems to be the strict handling of long options under Solaris: certtool has multiple options with prefix `--verify`:
```
-e, --verify-chain Verify a PEM encoded certificate chain
--verify Verify a PEM encoded certificate (chain) against a trusted set
--verify-hostname=str Specify a hostname to be used for certificate chain verification
--verify-email=str Specify a email to be used for certificate chain verification
- prohibits the option 'verify-hostname'
--verify-purpose=str Specify a purpose OID to be used for certificate chain verification
--verify-allow-broken Allow broken algorithms, such as MD5 for verification
--verify-profile=str Specify a security level profile to be used for verification
```
A solution could be to give the option a different name (e.g. `--verify-with-ca`), or a short option (`-E`). At the moment, it is not possible to verify a chain with a CA certificate under Solaris with GnuTLS certtool, i.e. an important feature is broken under Solaris.
## Version of gnutls used:
3.8.13
```
(x509) nornetpp at openindiana:~/src/system-tools/src/X509$ uname -a
SunOS openindiana 5.11 illumos-2b7388bd44 i86pc i386 i86pc
(x509) nornetpp at openindiana:~/src/system-tools/src/X509$ certtool --version
certtool 3.8.13
```
## Distributor of gnutls (e.g., Ubuntu, Fedora, RHEL)
OpenIndiana
```
(x509) nornetpp at openindiana:~/src/system-tools/src/X509$ pkg publisher
PUBLISHER TYPE STATUS P LOCATION
openindiana.org origin online F https://pkg.openindiana.org/hipster/
localhostoih origin online F http://sfe.opencsw.org/localhostoih/
```
--
Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/work_items/1916
You're receiving this email because of your account on gitlab.com. Unsubscribe from this thread: https://gitlab.com/-/namespace/17175643/sent_notifications/5-ed0vakpmjgqlq8n9ew4skobyw-a84t7/unsubscribe | Manage all notifications: https://gitlab.com/-/profile/notifications | Help: https://gitlab.com/help
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnutls-devel/attachments/20260716/9170e8cb/attachment-0001.html>
More information about the Gnutls-devel
mailing list