This one time, at band camp, Simon Josefsson said: > Hi! I'm commenting one thing only in this post, prompted by > <http://lists.gnu.org/archive/html/gnutls-devel/2008-01/msg00004.html>. > > > and most importantly for me, openssl actually supports full > > certificate chain lookups, so you can be guaranteed that this cert was > > signed was signed by that ca. gnutls does not, to the best of my > > knowledge. > > That is not true. GnuTLS can verify that the client certificate chains > back to the CA, and has been doing so for a long time (before I became > GnuTLS maintainer). Naturally, the application needs to do the right > thing to trigger that feature, but there are examples and documentation > on how to do it. I looked in the source for exim4 in src/tls-gnu.c > which contains:
I spoke imprecisely, and for that I'm sorry. I meant that when exim is compiled against openssl, it can be pointed to a directory of hashed certs and it will perform validation against certs found there. gnutls does not seem to have this ability, to the best of my knowledge, and you have to instead manually include the ca.crts you are interested in a file. This may be a limitation of the parts of the gnutls API that exim exposes, but I was under the impression this is a limitation of gnutls. I remember some issues getting CRLs to work with exim and gnutls, but that may have either been an error in the exim implementation or an error on my part - gnutls would not be very useful if it couldn't handle revocations. Cheers, -- ----------------------------------------------------------------- | ,''`. Stephen Gran | | : :' : sg...@debian.org | | `. `' Debian user, admin, and developer | | `- http://www.debian.org | -----------------------------------------------------------------
signature.asc
Description: Digital signature