On Sat, 16 Feb 2008, Nikos Mavrogiannopoulos wrote:
The culprit here for you is the -101. That's
gnutls_certificate_verify_peers2() returning GNUTLS_E_CONSTRAINT_ERROR.
I can see two cases where this can be returned.
1. the verify depth of the certificate is quite high (ie the chain
being verified is long).
The default maximum depth is 6. Although it is possible to have such
long chain, it is most probably
a configuration error if the server sends more than 6 certificates.
- this limit can be adjusted by gnutls_certificate_set_verify_limits()
2. the key bits of the certificates are longer than the maximum allowed
(8200). this limit can also be adjusted by the same function.
But seeing this is a live server used by mere mortals out there (it is a bank
after all), wouldn't it perhaps be an indication that the defaults are a bit
too restrictive? Also, both OpenSSL and Firefox (NSS) deal with it by default.
However, I tried adding this:
gnutls_certificate_set_verify_limits(conn->ssl[sockindex].cred,
20200, 18);
Is there any way for me to figure out sensible values for me to set to this
function? I just upped them a couple of times until the function worked!
And yes, it now makes gnutls_certificate_verify_peers2() return success but
then... verify_status still contained the GNUTLS_CERT_INVALID bit. So
something still isn't liking this server!
_______________________________________________
Help-gnutls mailing list
[email protected]
http://lists.gnu.org/mailman/listinfo/help-gnutls
