[Help-gnutls] Re: libgnutls: Verifying certificate chains, disconnected

help-gnutls

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Help-gnutls] Re: libgnutls: Verifying certificate chains, disconnected

From:	Simon Josefsson
Subject:	[Help-gnutls] Re: libgnutls: Verifying certificate chains, disconnected
Date:	Thu, 18 Oct 2007 15:34:25 +0200
User-agent:	Gnus/5.110007 (No Gnus v0.7) Emacs/22.1 (gnu/linux)

Colin Leroy <address@hidden> writes:

> Hello,
>
> I'm one of the Claws Mail developers, and started integrating GnuTLS to
> replace OpenSSL as our ssl library. Most of it works fine already, I
> just have a few problems in the certificate verification area.
>
> First thing: if I understand correctly, GnuTLS doesn't ship a list of
> trusted CAs like openSSL. in order to be able to verify certificates
> and present them as valid, I have to do something like
>
> gnutls_certificate_set_x509_trust_file(xcred,
>       "/etc/ssl/certs/ca-certificates.crt");
>
> (this file comes from OpenSSL), then

I believe most distributions (e.g., Debian) maintain that file.  I
couldn't find a 'ca-certificates.crt' file in openssl 0.9.8e, although I
didn't look very carefully.

> gnutls_certificate_verify_peers2(session, &status);
>
> Then I'm able to get valid certificates from, for example,
> pop.gmail.com.

You'll need to do more than that to verify pop.gmail.com's certificate,
there is an example in the manual:

http://www.gnu.org/software/gnutls/manual/html_node/Verifying-peer_0027s-certificate.html

You may want to look at the source for 'msmtp' and/or 'mpop' utilities,
they use GnuTLS and claims to do proper certificate verification:
http://msmtp.sourceforge.net/ http://mpop.sourceforge.net/

Possibly there should be a simple utility function that does everything,
but this is quite application dependent so it is difficult to implement
it.

Generally, I think that ideally the X.509 stuff should be in another
library than GnuTLS.  That would make things more modular and the
interface between TLS the protocol and X.509 the certificate format more
clear.

> The other problem, more important imho than having to set a trust file,
> is that it seems I can do this only when I have a connected session.
> Claws Mail stores known certificates on disk, and has an SSL
> certificates manager UI, in which you can list and display the
> certificates it has stored. 
>
> At this step however, there's no connection to the server running, so I
> can only use gnutls_x509_crt_verify(), and that doesn't check the issuer
> certificate(s), so I always have GNUTLS_CERT_INVALID... Whereas using
> OpenSSL, I could use X509_verify_cert(&store) and openssl checks the
> whole chain.
>
> Do you have any pointers for that? 

Check the source code for gnutls_certificate_verify_peers2, it contains
what you have to do externally.  I don't think if there is a better
interface available.

/Simon

[Prev in Thread]

Current Thread

[Next in Thread]

[Help-gnutls] libgnutls: Verifying certificate chains, disconnected, Colin Leroy, 2007/10/18
- [Help-gnutls] Re: libgnutls: Verifying certificate chains, disconnected, Simon Josefsson <=
  - [Help-gnutls] Re: libgnutls: Verifying certificate chains, disconnected, Colin Leroy, 2007/10/19
    - [Help-gnutls] Re: libgnutls: Verifying certificate chains, disconnected, Simon Josefsson, 2007/10/19
    - Re: [Help-gnutls] Re: libgnutls: Verifying certificate chains, disconnected, Nikos Mavrogiannopoulos, 2007/10/19

Prev by Date: [Help-gnutls] libgnutls: Verifying certificate chains, disconnected
Next by Date: [Help-gnutls] Re: libgnutls: Verifying certificate chains, disconnected
Previous by thread: [Help-gnutls] libgnutls: Verifying certificate chains, disconnected
Next by thread: [Help-gnutls] Re: libgnutls: Verifying certificate chains, disconnected
Index(es):
- Date
- Thread