[Help-gnutls] Peer certificates not signed by any CA

Nikos Mavrogiannopoulos nmav at gnutls.org
Thu Jun 22 01:30:53 CEST 2006


On Tue 13 Jun 2006 16:28, Florian Weimer wrote:
> On Tue, Jun 13, 2006 at 02:51:34PM +0200, fweimer wrote:
> > > In that case if you would like to send the client certificate
> > > anyway, you should use the callback function (don't remember the
> > > name right now).
> >
> > Will try and report.
>
> gnutls_certificate_client_get_request_status still returns 0 on the
> client side, but it seems that this time, a certificate is actually
> transmitted in a way the server can handle it.
This looks like a bug, but from a quick glimpse the code looks ok.
I'll try to check it further once I have more time.

> May I assume that the first certificate returned by
> gnutls_certifcate_get_peers contains public key material which
> actually corresponds to the private key material which was used to
> establish the ssession?
No. That would be the last certificate in the chain. 

> By the way, gnutls_certificate_client_set_retrieve_function is not a
> well-designed interface.  The callback function lacks a closure
> parameter. 
What do you mean by closure parameter?

> Even worse, it is hard to fake it because 
> gnutls_certificate_client_set_retrieve_function is called with a
> credentials structure, and the callback is called with a session
> structure.  Extremely annoying.
But you want to know the session in the callback (to obtain information 
about the current session). The session is the caller of the callback. 

regards,
Nikos





More information about the Gnutls-help mailing list