[Help-gnutls] Re: Certs directory for peer certificate validation

[Simon Josefsson]

Albert Chin <address@hidden> writes:

> On Mon, May 15, 2006 at 02:05:45PM +0200, Simon Josefsson wrote:
>> Albert Chin <address@hidden> writes:
>> 
>> > OpenSSL has a directory and path for certificates in PEM format used
>> > to verify a peer certificate (i.e. CAfile and CApath). Does GnuTLS
>> > have similar functionality?
>> 
>> GnuTLS does not support reading all files in a directory, but it
>> supports reading CA certificates in PEM format from a file, see
>> gnutls_certificate_set_x509_trust_file().  You'll call
>> gnutls_certificate_verify_peers2() to use it.
>
> Is there a default CA certificate file or do all clients need to call
> gnutls_certificate_set_x509_trust_file()?

There is no default CA certificate file for all GnuTLS applications,
all applications must call that function internally, and have a local
policy on which CAs are acceptable, and thus, generally, a different
path for each application.

I'm not sure it is possible to have a "default CA" file/path that
works fine for all kind of GnuTLS applications.  The kind of CAs that
are OK for one application may be unacceptable for another, and vice
versa.

It may be useful to centralize certificates per-usage on a single
machine though, for improve user experience.  It may make sense to
have a "default" file with CA's used by all IMAP GnuTLS application on
a host, one for all HTTPS GnuTLS applications and so on.  There could
be some GNOME tool to manage the certificates, per usage.

Alternatively, creating a gnutls_certificate_set_x509_trust_dir() and
have it read files a'la OpenSSL may be a solution too.

/Simon