[Help-gnutls] libgnutls: Verifying certificate chains, disconnected

[Colin Leroy]

Hello,

I'm one of the Claws Mail developers, and started integrating GnuTLS to
replace OpenSSL as our ssl library. Most of it works fine already, I
just have a few problems in the certificate verification area.

First thing: if I understand correctly, GnuTLS doesn't ship a list of
trusted CAs like openSSL. in order to be able to verify certificates
and present them as valid, I have to do something like

gnutls_certificate_set_x509_trust_file(xcred,
        "/etc/ssl/certs/ca-certificates.crt");

(this file comes from OpenSSL), then

gnutls_certificate_verify_peers2(session, &status);

Then I'm able to get valid certificates from, for example,
pop.gmail.com.

The other problem, more important imho than having to set a trust file,
is that it seems I can do this only when I have a connected session.
Claws Mail stores known certificates on disk, and has an SSL
certificates manager UI, in which you can list and display the
certificates it has stored. 

At this step however, there's no connection to the server running, so I
can only use gnutls_x509_crt_verify(), and that doesn't check the issuer
certificate(s), so I always have GNUTLS_CERT_INVALID... Whereas using
OpenSSL, I could use X509_verify_cert(&store) and openssl checks the
whole chain.

Do you have any pointers for that? 

Thanks a lot in advance,
-- 
Colin