On Monday 22 August 2005 09:56, Daniel Stenberg wrote: Hello, > I have a little problem with my GnuTLS-enabled libcurl and CA cert > verifying a server. If I build it with OpenSSL instead it succeeds (using > the same CA cert file I should say). > > Can you perhaps point out an obvious flaw in this flow? > gnutls_certificate_allocate_credentials() > gnutls_certificate_set_x509_trust_file() - if a CA file has been provided You may want to check the return value to see how many certificates were loaded.
> gnutls_init() > gnutls_set_default_priority() > gnutls_certificate_type_set_priority() > gnutls_credentials_set() - sets the cred with the CA file, afaik understood > gnutls_transport_set_ptr() - sets the file descriptor for the socket > gnutls_handshake() - handshake, done non-blocking but I doubt that matters It doesn't. > gnutls_certificate_get_peers() > gnutls_certificate_verify_peers2() - this seems to always return error with > the 'verify_status' integer (that the second argument points to) set to 66 > on exit. What is the error number returned? The status is garbage if this function returns an error code. The sequence looks good. It is just like gnutls-cli, so the problem is somewhere in the details. > $ curl -v https://gmail.google.com/ --cacert > /usr/share/curl/curl-ca-bundle.crt What does gnutls-cli gives with the same input? -- Nikos Mavrogiannopoulos _______________________________________________ Help-gnutls mailing list [email protected] http://lists.gnu.org/mailman/listinfo/help-gnutls
