On Wed, Apr 22, 2015 at 2:31 AM, Lavrentiev, Anton (NIH/NLM/NCBI) [C] <[email protected]> wrote: > Hi, > I've been using basic GnuTLS features until a recent fallout with > certificate-based connection authentication prompted > me to look into more advanced techniques such as callbacks. I would > appreciate if somebody could answer these questions:
> 1. It's unclear to me why "gnutls_certificate_set_verify_function()" is a > function of credentials rather than a session: > I assumed that the same credentials added to a session via > "gnutls_credentials_set()" can be reused. Which means that > certificate verification will be done on any such session rather than > selected on a per-session basis. I think my > understanding is incomplete (yet API documentation does not provide any > insight here). It was designed with the server mainly in mind which will typically have the same verify function for all possible clients. You can still however differentiate between sessions using gnutls_session_set/get_ptr(). Do you see an issue with this approach? > 2. There's something odd with the description of the > "gnutls_certificate_set_retrieve_function*()" API: > callbacks are documented as: > int (*callback)(gnutls_session_t, const gnutls_datum_t* req_ca_dn,...) > but parameter descriptions that follow (for either call) refer to > nonexistent name "req_ca_cert". I assume "req_ca_dn" > was meant to be there, but I'm not sure. Please confirm. Confirmed. I've fixed it. > Also, is there the word "key" missing after "public" in the following > description: > "pcert should contain a single certificate and public or a list of them." Thanks. Fixed too. > 3. Can you please explain this phrase to me: "Contains a list with the CA > names that the server considers trusted. > Normally we should send a certificate that is signed by one of these CAs." > Is this a requirement? In other > words, if my server tells me it wants a GoDaddy's issued cert, and I send > a Digicert's one instead, then I should > expect the server to drop the connection on me? It's up to the server to decide. You can send whatever you desire in the certificate field, but the server will have to accept it. The values you get in this callback are hints; you may use them or ignore them. Said that, for most applications the server will require a certificate that is signed by a CA it controls or trusts to authenticate its users. So sending him any random certificate wouldn't be useful to it. > 4. Is there a way to pass some context to a callback that is set with > "gnutls_certificate_set_retrieve_function*()"? > I.e. similar to "gnutls_session_set_ptr()" but for credentials. Since you get a pointer to the session you can use the gnutls_session_set/get_ptr() for that. There is also gnutls_credentials_get() since gnutls 3.3.3, if I correctly understand what you mean. > 5. If there is a certificate set in credentials (e.g. such as with > "gnutls_certificate_set_x509_simple_pkcs12_file()") > along with a certificate retrieval callback, what wins? Interesting question. The callback always take precedence. > I apologize if my questions are naïve but I would appreciate any help I can > get on this list. They are not. They certainly helped improve the documentation :) regards, Nikos _______________________________________________ Gnutls-help mailing list [email protected] http://lists.gnupg.org/mailman/listinfo/gnutls-help
