headers
Rainer Gerhards | 20 May 18:23

client certificate not provided when no common root ca

Hi list,

me again ;) I have a server and client, both with self-signed
certificates and no common root CA. My server requests the client's
certificate. However, it does not receive one when there is no common
root CA. If I add a common root CA to both client and server (but
still have self-signed certs NOT signed by the common CA), I receive
the client certificate.

Is this desired behavior (I think I read it is, but can no longer find
the doc page where it is described). If so, is there any way around it
(e.g. via the certificate retrieve functions)?

Feedback is appreciated.

Thanks,
Rainer
Permalink | Reply |
headers
Nikos Mavrogiannopoulos | 21 May 13:35

Re: client certificate not provided when no common root ca

Rainer Gerhards wrote:
> Hi list,
> 
> me again ;) I have a server and client, both with self-signed
> certificates and no common root CA. My server requests the client's
> certificate. However, it does not receive one when there is no common
> root CA. If I add a common root CA to both client and server (but
> still have self-signed certs NOT signed by the common CA), I receive
> the client certificate.
> Is this desired behavior (I think I read it is, but can no longer find
> the doc page where it is described). 

Yes this is the desired behavior. That is because the server requests
certificates only from the CAs he trusts.

> If so, is there any way around it
> (e.g. via the certificate retrieve functions)?

1. Include the client CA certificate into  the server trusted CA list

2. (hack)
You should use the callback functions in client so that you can send any
certificate that you like regardless of what the server requests (check
gnutls-cli code).

regards,
Nikos
Permalink | Reply |
headers
Rainer Gerhards | 21 May 13:42

Re: client certificate not provided when no common root ca

Hi Nikos,

inline...

On Wed, May 21, 2008 at 1:35 PM, Nikos Mavrogiannopoulos
<nmav <at> gnutls.org> wrote:
> Rainer Gerhards wrote:
>> Hi list,
>>
>> me again ;) I have a server and client, both with self-signed
>> certificates and no common root CA. My server requests the client's
>> certificate. However, it does not receive one when there is no common
>> root CA. If I add a common root CA to both client and server (but
>> still have self-signed certs NOT signed by the common CA), I receive
>> the client certificate.
>> Is this desired behavior (I think I read it is, but can no longer find
>> the doc page where it is described).
>
> Yes this is the desired behavior. That is because the server requests
> certificates only from the CAs he trusts.

That makes an awful lot of sense ;)

>
>> If so, is there any way around it
>> (e.g. via the certificate retrieve functions)?
>
> 1. Include the client CA certificate into  the server trusted CA list
>
> 2. (hack)
(Continue reading)

Permalink | Reply |

Gmane