Re: GnuTLS and certificate verification

[Ted Zlatanov]

On Thu, 06 Sep 2012 00:13:06 +0200 Julien Danjou <address@hidden> wrote: 

JD> I'd like gnutls to check that the server I connect to are trusted. Using
JD> Gnus and smtpmail, currently, the check is disable because
JD> the argument :verify-hostname-error to `gnutls-negotiate' is always nil.
JD> It seems nothing uses it for now.

JD> I wonder if adding a global defcustom would be helpful here. WDYT?

Yes, if the underlying code works.

JD> OTOH, I've tried to set it manually to t, and I added my CA to the know
JD> certificates. gnutls-bin is now happy to connect to my IMAP server and
JD> considers it secure ("Peer's certificate is trusted"). But with
JD> gnutls.c, I keep hitting:

JD>   if (peer_verification & GNUTLS_CERT_SIGNER_NOT_FOUND)
JD>     GNUTLS_LOG2 (1, max_log_level, "certificate signer was not found:",
JD>              c_hostname);

JD> Note that the trustfile used seems correct too.

JD> If anybody has a clue, I'd be glad… 

I tested this but not thoroughly with self-signed certs (which it seems
you're using, though I can't be sure from your description).

This specific error could be due to many things; you need to either look
at the GnuTLS context yourself, post a recipe for duplicating the issue
here or in a bug, or ask in the gnutls-devel mailing list with that
recipe.  Either way I will try to help you find the solution.

Ted