GnuTLS and certificate verification

GnuTLS and certificate verification

[Julien Danjou]

[-- Attachment #1: Type: text/plain, Size: 893 bytes --]

Hi,

I'd like gnutls to check that the server I connect to are trusted. Using
Gnus and smtpmail, currently, the check is disable because
the argument :verify-hostname-error to `gnutls-negotiate' is always nil.
It seems nothing uses it for now.

I wonder if adding a global defcustom would be helpful here. WDYT?

OTOH, I've tried to set it manually to t, and I added my CA to the know
certificates. gnutls-bin is now happy to connect to my IMAP server and
considers it secure ("Peer's certificate is trusted"). But with
gnutls.c, I keep hitting:

  if (peer_verification & GNUTLS_CERT_SIGNER_NOT_FOUND)
    GNUTLS_LOG2 (1, max_log_level, "certificate signer was not found:",
		 c_hostname);

Note that the trustfile used seems correct too.

If anybody has a clue, I'd be glad… 

-- 
Julien Danjou
/* Free Software hacker & freelance
   http://julien.danjou.info */

[-- Attachment #2: Type: application/pgp-signature, Size: 835 bytes --]

Re: GnuTLS and certificate verification

[Ted Zlatanov]

On Thu, 06 Sep 2012 00:13:06 +0200 Julien Danjou <julien@danjou.info> wrote: 

JD> I'd like gnutls to check that the server I connect to are trusted. Using
JD> Gnus and smtpmail, currently, the check is disable because
JD> the argument :verify-hostname-error to `gnutls-negotiate' is always nil.
JD> It seems nothing uses it for now.

JD> I wonder if adding a global defcustom would be helpful here. WDYT?

Yes, if the underlying code works.

JD> OTOH, I've tried to set it manually to t, and I added my CA to the know
JD> certificates. gnutls-bin is now happy to connect to my IMAP server and
JD> considers it secure ("Peer's certificate is trusted"). But with
JD> gnutls.c, I keep hitting:

JD>   if (peer_verification & GNUTLS_CERT_SIGNER_NOT_FOUND)
JD>     GNUTLS_LOG2 (1, max_log_level, "certificate signer was not found:",
JD> 		 c_hostname);

JD> Note that the trustfile used seems correct too.

JD> If anybody has a clue, I'd be glad… 

I tested this but not thoroughly with self-signed certs (which it seems
you're using, though I can't be sure from your description).

This specific error could be due to many things; you need to either look
at the GnuTLS context yourself, post a recipe for duplicating the issue
here or in a bug, or ask in the gnutls-devel mailing list with that
recipe.  Either way I will try to help you find the solution.

Ted

Re: GnuTLS and certificate verification

[Julien Danjou]

[-- Attachment #1: Type: text/plain, Size: 740 bytes --]

On Fri, Dec 21 2012, Ted Zlatanov wrote:

> I tested this but not thoroughly with self-signed certs (which it seems
> you're using, though I can't be sure from your description).

It's not a self-signed certificate, it's a certificate signed by my CA,
which I've imported onto my system.

> This specific error could be due to many things; you need to either look
> at the GnuTLS context yourself, post a recipe for duplicating the issue
> here or in a bug, or ask in the gnutls-devel mailing list with that
> recipe.  Either way I will try to help you find the solution.

Thanks Ted. I'll do that will get back to you once I know more!

-- 
Julien Danjou
-- Free Software hacker & freelance
-- http://julien.danjou.info

[-- Attachment #2: Type: application/pgp-signature, Size: 835 bytes --]