Hi, I've been using basic GnuTLS features until a recent fallout with certificate-based connection authentication prompted me to look into more advanced techniques such as callbacks. I would appreciate if somebody could answer these questions:
1. It's unclear to me why "gnutls_certificate_set_verify_function()" is a function of credentials rather than a session: I assumed that the same credentials added to a session via "gnutls_credentials_set()" can be reused. Which means that certificate verification will be done on any such session rather than selected on a per-session basis. I think my understanding is incomplete (yet API documentation does not provide any insight here). 2. There's something odd with the description of the "gnutls_certificate_set_retrieve_function*()" API: callbacks are documented as: int (*callback)(gnutls_session_t, const gnutls_datum_t* req_ca_dn,...) but parameter descriptions that follow (for either call) refer to nonexistent name "req_ca_cert". I assume "req_ca_dn" was meant to be there, but I'm not sure. Please confirm. Also, is there the word "key" missing after "public" in the following description: "pcert should contain a single certificate and public or a list of them." 3. Can you please explain this phrase to me: "Contains a list with the CA names that the server considers trusted. Normally we should send a certificate that is signed by one of these CAs." Is this a requirement? In other words, if my server tells me it wants a GoDaddy's issued cert, and I send a Digicert's one instead, then I should expect the server to drop the connection on me? 4. Is there a way to pass some context to a callback that is set with "gnutls_certificate_set_retrieve_function*()"? I.e. similar to "gnutls_session_set_ptr()" but for credentials. 5. If there is a certificate set in credentials (e.g. such as with "gnutls_certificate_set_x509_simple_pkcs12_file()") along with a certificate retrieval callback, what wins? I apologize if my questions are naïve but I would appreciate any help I can get on this list. Thank you, Anton Lavrentiev Contractor NIH/NLM/NCBI _______________________________________________ Gnutls-help mailing list [email protected] http://lists.gnupg.org/mailman/listinfo/gnutls-help
