Re: [exim-dev] Big CA certificate bundle causes problems wit…

Top Page
Delete this message
Reply to this message
Author: Janne Snabb
Date:  
To: exim-dev
Subject: Re: [exim-dev] Big CA certificate bundle causes problems with GnuTLS 3.0.11
On 2012-05-30 04:24, Nikos Mavrogiannopoulos wrote on help-gnutls list:
> On 05/29/2012 11:17 PM, Janne Snabb wrote:
>> It feels like there should be a way in the GnuTLS API to define whether
>> the list of trusted CAs is to be advertised in Certificate Request or
>> not. (Maybe there is a way but I am missing it?)
>
>
> There is. Check client certificate authentication at:
> http://www.gnu.org/software/gnutls/manual/html_node/Certificate-credentials.html#Certificate-credentials


Do we need "gnutls_certificate_send_x509_rdn_sequence(session, knob)" in
the GnuTLS server side initialization and a corresponding configuration
knob. How does OpenSSL behave in this regard?

The advertisement should not be hard-coded in the off position because
people using MUAs may want to authenticate to SMTP submission service
with a certificate (and they may hold many of them for different
purposes/roles). Obviously in that case the SMTP submission service
would trust only one or few CAs.

--
Janne Snabb / EPIPE Communications
snabb@??? - http://epipe.com/