On Thu, 18 Oct 2007 15:34:25 +0200, Simon Josefsson wrote: Hi,
> I believe most distributions (e.g., Debian) maintain that file. I > couldn't find a 'ca-certificates.crt' file in openssl 0.9.8e, > although I didn't look very carefully. Ah, you're right, it's provided by another package, ca-certificates. > > gnutls_certificate_verify_peers2(session, &status); > > > > Then I'm able to get valid certificates from, for example, > > pop.gmail.com. > > You'll need to do more than that to verify pop.gmail.com's > certificate, there is an example in the manual: Indeed, there's also the validity date and the hostname to check... I forgot those :) > > At this step however, there's no connection to the server running, > > so I can only use gnutls_x509_crt_verify(), and that doesn't check > > the issuer certificate(s), so I always have GNUTLS_CERT_INVALID... > > Whereas using OpenSSL, I could use X509_verify_cert(&store) and > > openssl checks the whole chain. > > > > Do you have any pointers for that? > > Check the source code for gnutls_certificate_verify_peers2, it > contains what you have to do externally. I don't think if there is a > better interface available. I've looked at it, but this code seems really closely interlaced with things done at session start, and I couldn't figure out how to get the certificates list starting from a gnutls_x509_crt... -- Colin _______________________________________________ Help-gnutls mailing list [email protected] http://lists.gnu.org/mailman/listinfo/help-gnutls
