Re: [gnutls-help] GnuTLS HTTP server

Fri, 24 Jan 2014 07:19:59 -0800 

On 1/23/2014 12:15 PM, Nikos Mavrogiannopoulos wrote:

So when I start gnutls-serv as an http server, where is it serving pages
from?  <snip>

gnutls-serv is a debugging server, not a proper web server. For a web
server that uses gnutls you may want to check mod_gnutls and nxweb.



Okay.  I'm thinking to run the pygnutls twisted-server, and add the http 
callback instead, so as to get more programmatic control than Apache allows.





I note also that when requesting 'disable-client-cert', gnutls-serv
still complains that no client certificate was furnished.

Could you elaborate on the issue?


I have gnutls-serv set up as shown below:

   had4.antd [72]{.../tlslite-0.4.6/tests}-> more gnutlsserv.sh
   #3 /bin/sh

   gnutls-serv --port 4461 --disable-client-cert --http --x509keyfile 
fourkey.pem --

   x509certfile fourcert.pem

When connecting from the peer, the server spits out the following:

   had4.antd [73]{.../tlslite-0.4.6/tests}->
   * connection from 10.0.20.22, port 50551
   - Certificate type: X.509
   No certificates found!

   - Could not verify certificate (err: The peer did not send any 
certificate.)

   - Version: TLS1.1
   - Key Exchange: RSA
   - Cipher: 3DES-CBC
   - MAC: SHA1
   - Compression: NULL


So it complains about 'no certificates found' and gives a Could not 
verify error message, even though I have the --disable-client-cert 
option enabled.  This is identical to the behavior experienced when no 
client cert flag is set.


Ah! but when the --require-cert flag is set, this is what happens:

   had4.antd [82]{.../tlslite-0.4.6/tests}-> more ./gnutlsserv.sh
   #3 /bin/sh

   gnutls-serv --port 4461 --require-cert --http --x509keyfile 
fourkey.pem --x509cer

   tfile fourcert.pem
   had4.antd [83]{.../tlslite-0.4.6/tests}-> Error in handshake
   Error: The peer did not send any certificate.


So it looks like in the disable and no flag cases, the server complains 
but completes the connection, however in the require-cert case, no 
connection is made.  So I guess the message is just spurious noise.


Regards,

Stephen Nightingale.








_______________________________________________
Gnutls-help mailing list
[email protected]
http://lists.gnupg.org/mailman/listinfo/gnutls-help






















					Reply via email to