I see. We haven't decided yet whether to use GnuTLS or OpenSSL, but if we decide to go with GnuTLS I'll certainly make that patch.
Thank you. On Thu, May 22, 2014 at 5:28 PM, Nikos Mavrogiannopoulos <[email protected]>wrote: > On Thu, May 22, 2014 at 11:42 AM, DEXTER <[email protected]> wrote: > > Sure. In a proxy firewall environment, you have the server's certificate, > > and you want to copy that cert exactly as is, but you want to remove > some of > > the extensions and show that to the client. > > In case of OpenSSL you have an api for that: > > int idx = X509_get_ext_by_NID( cert, nid, -1 ); //get the index > > X509_EXTENSION *ext = X509_get_ext(cert, idx); //get the extension > > if (ext != NULL){ //check that the extension was found > > X509_delete_ext(cert, idx); //delete the extension > > X509_EXTENSION_free(ext); //free the memory > > } > > > > It would be great if GnuTLS had this functionality too. > > Without this api, can you tell me what is the way to copy a certificate > and > > only remove some of the extensions from it? > > As it is now you have to create a new certificate and copy everything > you need there. In 3.3.x it is a bit simpler as you can simply copy > the DER-encoded extensions, but there is no API to manipulate > certificates, other than add elements. What you specify can be indeed > useful to have, but I don't plan to work on it any time soon. I'd > certainly consider adding that if you contribute the needed pieces. > > regards, > Nikos >
_______________________________________________ Gnutls-help mailing list [email protected] http://lists.gnupg.org/mailman/listinfo/gnutls-help
