Albert Chin <[EMAIL PROTECTED]> writes: > On Mon, May 15, 2006 at 02:05:45PM +0200, Simon Josefsson wrote: >> Albert Chin <[EMAIL PROTECTED]> writes: >> >> > OpenSSL has a directory and path for certificates in PEM format used >> > to verify a peer certificate (i.e. CAfile and CApath). Does GnuTLS >> > have similar functionality? >> >> GnuTLS does not support reading all files in a directory, but it >> supports reading CA certificates in PEM format from a file, see >> gnutls_certificate_set_x509_trust_file(). You'll call >> gnutls_certificate_verify_peers2() to use it. > > Is there a default CA certificate file or do all clients need to call > gnutls_certificate_set_x509_trust_file()?
There is no default CA certificate file for all GnuTLS applications, all applications must call that function internally, and have a local policy on which CAs are acceptable, and thus, generally, a different path for each application. I'm not sure it is possible to have a "default CA" file/path that works fine for all kind of GnuTLS applications. The kind of CAs that are OK for one application may be unacceptable for another, and vice versa. It may be useful to centralize certificates per-usage on a single machine though, for improve user experience. It may make sense to have a "default" file with CA's used by all IMAP GnuTLS application on a host, one for all HTTPS GnuTLS applications and so on. There could be some GNOME tool to manage the certificates, per usage. Alternatively, creating a gnutls_certificate_set_x509_trust_dir() and have it read files a'la OpenSSL may be a solution too. /Simon _______________________________________________ Help-gnutls mailing list [email protected] http://lists.gnu.org/mailman/listinfo/help-gnutls
