Purpose of gnutls_credentials_set

Nikos Mavrogiannopoulos nmav at gnutls.org
Mon Jun 21 10:20:26 CEST 2010


The client sends the certificate if the server requests a certificate
signed with its CA.
Does the server request for such a certificate? (you can check with
wireshark, or you
can print in the callback the DNs of the CAs that the server supports).

regards,
Nikos

On Mon, Jun 21, 2010 at 9:06 AM, Florian Weimer <fweimer at bfk.de> wrote:
> * Nikos Mavrogiannopoulos:
>
>> Florian Weimer wrote:
>>> * Nikos Mavrogiannopoulos:
>>>
>>>> After or during the handshake (with a callback that I don't remember
>>>> its name) you should verify the certificate chain received by peer.
>>>> For that you can use gnutls_certificate_verify_peers2(). Could you
>>>> suggest the points in documentation that were not clear for you, so we
>>>> can correct them? The problem when I read the documentation is that I
>>>> know everything :) that needs to be done thus such things are easy to
>>>> miss.
>>> gnutls_certificate_set_x509_key, gnutls_certificate_set_x509_key_mem,
>>> gnutls_certificate_set_x509_key_file should mention that they are only
>>> relevant to the server side, and that on the client side,
>>> gnutls_certificate_client_set_retrieve_function has to be used to
>>> install a callback which provides the certificate to send to the
>>> server.
>>
>>  Hi,
>> Actually those functions you mention are valid for both client and
>> server side. The callback is optional and suitable for the case where
>> you might not initially know which certificate to load.
>
> But if I don't use the callback, the client does not actually send the
> certificate, so I'm now totally confused. 8-)
>
> --
> Florian Weimer                <fweimer at bfk.de>
> BFK edv-consulting GmbH       http://www.bfk.de/
> Kriegsstraße 100              tel: +49-721-96201-1
> D-76133 Karlsruhe             fax: +49-721-96201-99
>




More information about the Gnutls-help mailing list