On 05/29/2012 11:17 PM, Janne Snabb wrote: > On 2012-05-30 03:37, Michal Suchanek wrote: >> Now what I do not get is how a pile of CA certificates is fragmenting >> the packets. >> >> Sounds like a security hole. CA cert piles should be local to either >> side, only one CA cert relevant for the session. Technically there can >> be more than one cert in the trust chain but not pile of them. > > If the *server* chooses to trust a pile of CA's in the same way as web > browsers (clients) typically do, this will happen, see: > > https://tools.ietf.org/html/rfc5246#section-7.4.4 > > It also says: > > "If the certificate_authorities list is empty, then the client MAY send > any certificate of the appropriate ClientCertificateType, unless there > is some external arrangement to the contrary." > > ...which suggests that in cases like this it might be a good idea or at > least acceptable *not* to put anything in the certificate_authorities > list when the server sends the Certificate Request. It is unclear how > various client side implementations implement the "MAY" part of the > above RFC quote. Do they send a client certificate if the CA list is > empty? Which one will they send if they have several?
Most send any certificate selected by the user. > It feels like there should be a way in the GnuTLS API to define whether > the list of trusted CAs is to be advertised in Certificate Request or > not. (Maybe there is a way but I am missing it?) There is. Check client certificate authentication at: http://www.gnu.org/software/gnutls/manual/html_node/Certificate-credentials.html#Certificate-credentials regards, Nikos _______________________________________________ Help-gnutls mailing list [email protected] https://lists.gnu.org/mailman/listinfo/help-gnutls
