[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: GnuTLS and certificate verification
From: |
Ted Zlatanov |
Subject: |
Re: GnuTLS and certificate verification |
Date: |
Fri, 21 Dec 2012 12:17:25 -0500 |
User-agent: |
Gnus/5.130006 (Ma Gnus v0.6) Emacs/24.3.50 (gnu/linux) |
On Thu, 06 Sep 2012 00:13:06 +0200 Julien Danjou <address@hidden> wrote:
JD> I'd like gnutls to check that the server I connect to are trusted. Using
JD> Gnus and smtpmail, currently, the check is disable because
JD> the argument :verify-hostname-error to `gnutls-negotiate' is always nil.
JD> It seems nothing uses it for now.
JD> I wonder if adding a global defcustom would be helpful here. WDYT?
Yes, if the underlying code works.
JD> OTOH, I've tried to set it manually to t, and I added my CA to the know
JD> certificates. gnutls-bin is now happy to connect to my IMAP server and
JD> considers it secure ("Peer's certificate is trusted"). But with
JD> gnutls.c, I keep hitting:
JD> if (peer_verification & GNUTLS_CERT_SIGNER_NOT_FOUND)
JD> GNUTLS_LOG2 (1, max_log_level, "certificate signer was not found:",
JD> c_hostname);
JD> Note that the trustfile used seems correct too.
JD> If anybody has a clue, I'd be glad…
I tested this but not thoroughly with self-signed certs (which it seems
you're using, though I can't be sure from your description).
This specific error could be due to many things; you need to either look
at the GnuTLS context yourself, post a recipe for duplicating the issue
here or in a bug, or ask in the gnutls-devel mailing list with that
recipe. Either way I will try to help you find the solution.
Ted
- Re: GnuTLS and certificate verification,
Ted Zlatanov <=