On 2012-05-30 04:24, Nikos Mavrogiannopoulos wrote on help-gnutls list:
> On 05/29/2012 11:17 PM, Janne Snabb wrote:
>> It feels like there should be a way in the GnuTLS API to define whether
>> the list of trusted CAs is to be advertised in Certificate Request or
>> not. (Maybe there is a way but I am missing it?)
>
>
> There is. Check client certificate authentication at:
> http://www.gnu.org/software/gnutls/manual/html_node/Certificate-credentials.html#Certificate-credentials
Do we need "gnutls_certificate_send_x509_rdn_sequence(session, knob)" in
the GnuTLS server side initialization and a corresponding configuration
knob. How does OpenSSL behave in this regard?
The advertisement should not be hard-coded in the off position because
people using MUAs may want to authenticate to SMTP submission service
with a certificate (and they may hold many of them for different
purposes/roles). Obviously in that case the SMTP submission service
would trust only one or few CAs.
--
Janne Snabb / EPIPE Communications
snabb@??? -
http://epipe.com/
