Richard Moore wrote: > On 7 May 2012 06:25, Nikos Mavrogiannopoulos <[email protected]> wrote: > [...] >> Moreover, a standard certificate bundle is not helpful at all, if it >> doesn't mention for which purpose those certificates are trusted. Are >> they trusted to certify stmp servers? incoming e-mail? web? > > This limitation is true. Openssl doesn't really have support for that concept.
It supports similar trust settings like NSS though. Check the -addtrust parameter of "openssl x509". > [...] > In Qt, we search the following directories (see > https://qt.gitorious.org/qt/qtbase/blobs/master/src/network/ssl/qsslsocket.cpp#line2389): > > << "/etc/ssl/certs/" // (K)ubuntu, OpenSUSE, Mandriva, MeeGo ... > << "/usr/lib/ssl/certs/" // Gentoo, Mandrake > << "/usr/share/ssl/" // Centos, Redhat, SuSE > << "/usr/local/ssl/" // Normal OpenSSL Tarball > << "/var/ssl/certs/" // AIX > << "/usr/local/ssl/certs/" // Solaris > << "/opt/openssl/certs/"; // HP-UX What's the reason why you hardcode that list yourself instead of calling SSL_CTX_set_default_verify_paths()? >> Are there ways to identify the trust purpose of those certificates? >> Is there any intention to standardize something like that, so we don't >> end up with our own trust? > > All the certs are trusted for all purposes in this scheme (subject to > the keyusage flags they contain). $ openssl x509 -in /etc/ssl/certs/DigiCert_High_Assurance_EV_Root_CA.pem -out t.pem $ openssl s_client -connect build.opensuse.org:443 -CAfile t.pem < /dev/null [...] Verify return code: 0 (ok) $ openssl x509 -in /etc/ssl/certs/DigiCert_High_Assurance_EV_Root_CA.pem -out t.pem -addtrust emailProtection $ openssl s_client -connect build.opensuse.org:443 -CAfile t.pem < /dev/null [...] Verify return code: 2 (unable to get issuer certificate) $ openssl x509 -in /etc/ssl/certs/DigiCert_High_Assurance_EV_Root_CA.pem -out t.pem -addtrust serverAuth $ openssl s_client -connect build.opensuse.org:443 -CAfile t.pem < /dev/null [...] Verify return code: 0 (ok) cu Ludwig -- (o_ Ludwig Nussel //\ V_/_ http://www.suse.de/ SUSE LINUX Products GmbH, GF: Jeff Hawn, Jennifer Guild, Felix Imendörffer, HRB 16746 (AG Nürnberg) _______________________________________________ Help-gnutls mailing list [email protected] https://lists.gnu.org/mailman/listinfo/help-gnutls
