Re: [exim-dev] Big CA certificate bundle causes problems wit…

Top Page
Delete this message
Reply to this message
Author: Phil Pennock
Date:  
To: Janne Snabb
CC: exim-dev
Subject: Re: [exim-dev] Big CA certificate bundle causes problems with GnuTLS 3.0.11
On 2012-05-30 at 04:45 +0700, Janne Snabb wrote:
> On 2012-05-30 04:24, Nikos Mavrogiannopoulos wrote on help-gnutls list:
> > On 05/29/2012 11:17 PM, Janne Snabb wrote:
> >> It feels like there should be a way in the GnuTLS API to define whether
> >> the list of trusted CAs is to be advertised in Certificate Request or
> >> not. (Maybe there is a way but I am missing it?)
> >
> >
> > There is. Check client certificate authentication at:
> > http://www.gnu.org/software/gnutls/manual/html_node/Certificate-credentials.html#Certificate-credentials
>
> Do we need "gnutls_certificate_send_x509_rdn_sequence(session, knob)" in
> the GnuTLS server side initialization and a corresponding configuration
> knob. How does OpenSSL behave in this regard?


Oh, I deleted from my previous reply the text about "I think I remember
reading about a knob to do this in GnuTLS but I can't find it right
now".

OpenSSL: if you use a directory, it does not send the server CAs. If
you use a file, it does.

For GnuTLS, this is not a change in behaviour, not a regression, so
adding this would be a feature enhancement which can go into 4.81.

The option might be useful, yes. This
sending-of-list-of-CAs-we-might-trust to the client is part of why I
always use directory mode with OpenSSL. We should let GnuTLS folks get
the same protection.

-Phil