Stephen Gran <sg...@debian.org> writes: > This one time, at band camp, Simon Josefsson said: >> Hi! I'm commenting one thing only in this post, prompted by >> <http://lists.gnu.org/archive/html/gnutls-devel/2008-01/msg00004.html>. >> >> > and most importantly for me, openssl actually supports full >> > certificate chain lookups, so you can be guaranteed that this cert was >> > signed was signed by that ca. gnutls does not, to the best of my >> > knowledge. >> >> That is not true. GnuTLS can verify that the client certificate chains >> back to the CA, and has been doing so for a long time (before I became >> GnuTLS maintainer). Naturally, the application needs to do the right >> thing to trigger that feature, but there are examples and documentation >> on how to do it. I looked in the source for exim4 in src/tls-gnu.c >> which contains: > > I spoke imprecisely, and for that I'm sorry. I meant that when exim is > compiled against openssl, it can be pointed to a directory of hashed > certs and it will perform validation against certs found there. gnutls > does not seem to have this ability, to the best of my knowledge, and you > have to instead manually include the ca.crts you are interested in a > file.
Right. > This may be a limitation of the parts of the gnutls API that exim > exposes, but I was under the impression this is a limitation of > gnutls. It is intentional, not a limitation. The method to use a directory with hashed certs is specific to OpenSSL. The GnuTLS APIs allows you to implement that model, if you really want to: use readdir to list the files in the directory, and decide whether to parse and trust each file as a CA cert. Be sure to compare this with OpenSSL's documentation on how hashed directories are intended to work, maybe you shouldn't trust all file in that directory. > I remember some issues getting CRLs to work with exim and gnutls, but > that may have either been an error in the exim implementation or an > error on my part - gnutls would not be very useful if it couldn't handle > revocations. Please report it to us if you can reproduce it. I don't think many people use CRLs. /Simon -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org