[EMAIL PROTECTED] (Ludovic Courtès) writes: > Hi, > > Simon Josefsson <[EMAIL PROTECTED]> writes: > >> Oh. I see, bad theory then. Hm. Have you loaded the proper CA cert in >> the server? The server sends over some information about the known CA >> certs, and if that doesn't match the user's certificate, the client >> won't send its user certificate. > > Actually, you were right: my power cable was not quite plugged in. ;-) > Adding a `set_x509_trust_file ()' call on the server side fixed the > problem.
Ah, ok. > I was not expecting such behavior, though. Roughly, I had copied my > OpenPGP example (where `GNUTLS_CERT_REQUIRE' worked fine) and replaced > "openpgp" with "x509". The fact that we need to specify a trust file in > X.509 and not in the OpenPGP case for `GNUTLS_CERT_REQUIRE' to work > creates a slight asymmetry. I think the asymmetry can be traced back to the protocols. Certificate requests with X.509 requires that the user cert matches the CA cert, but with OpenPGP such a check isn't applicable. I don't know whether it is OK for a client to send a X.509 client cert that doesn't match one of the authorities sent by the server. Maybe that should be possible? /Simon _______________________________________________ Help-gnutls mailing list [email protected] http://lists.gnu.org/mailman/listinfo/help-gnutls
