[Help-gnutls] Peer certificates not signed by any CA

Nikos Mavrogiannopoulos nmav at gnutls.org
Fri Jun 4 13:40:25 CEST 2010


On Fri, Jun 4, 2010 at 10:49 AM, Florian Weimer <fweimer at bfk.de> wrote:
> * Nikos Mavrogiannopoulos:
>
>>> May I assume that the first certificate returned by
>>> gnutls_certifcate_get_peers contains public key material which
>>> actually corresponds to the private key material which was used to
>>> establish the ssession?
>
>> No. That would be the last certificate in the chain.
>
> But the documentation says:
>
>     Get the peer's raw certificate (chain) as sent by the peer.  These
>     certificates are in raw format (DER encoded for X.509).  In case of
>     a X.509 then a certificate list may be present.  The first
>     certificate in the list is the peer's certificate, following the
>     issuer's certificate, then the issuer's issuer etc.
> So which one is correct? 8-)

The documentation is correct. Did I really say the thing above? :)

regards,
Nikos




More information about the Gnutls-help mailing list