21 May 13:42
Re: client certificate not provided when no common root ca
From: Rainer Gerhards <rgerhards <at> gmail.com>
Subject: Re: client certificate not provided when no common root ca
Newsgroups: gmane.network.gnutls.general
Date: 2008-05-21 11:42:14 GMT
Subject: Re: client certificate not provided when no common root ca
Newsgroups: gmane.network.gnutls.general
Date: 2008-05-21 11:42:14 GMT
Hi Nikos, inline... On Wed, May 21, 2008 at 1:35 PM, Nikos Mavrogiannopoulos <nmav <at> gnutls.org> wrote: > Rainer Gerhards wrote: >> Hi list, >> >> me again ;) I have a server and client, both with self-signed >> certificates and no common root CA. My server requests the client's >> certificate. However, it does not receive one when there is no common >> root CA. If I add a common root CA to both client and server (but >> still have self-signed certs NOT signed by the common CA), I receive >> the client certificate. >> Is this desired behavior (I think I read it is, but can no longer find >> the doc page where it is described). > > Yes this is the desired behavior. That is because the server requests > certificates only from the CAs he trusts. That makes an awful lot of sense ;) > >> If so, is there any way around it >> (e.g. via the certificate retrieve functions)? > > 1. Include the client CA certificate into the server trusted CA list > > 2. (hack) > You should use the callback functions in client so that you can send any > certificate that you like regardless of what the server requests (check > gnutls-cli code). I'll go for 2, as I need to support self-signed certs (again, the fingerprint issue). Thanks again for your help, Rainer
RSS Feed