how to make gnutls trust p11-kit's ca-anchors?
ludwig.nussel at suse.de
Thu Jul 25 05:08:22 PDT 2013
Stef Walter wrote:
> On 04.07.2013 18:08, Ludwig Nussel wrote:
>> Stef Walter wrote:
>>> On 04.07.2013 16:19, David Woodhouse wrote:
>>>> On Thu, 2013-07-04 at 16:17 +0200, Stef Walter wrote:
>>>>> Nikos, is there a way to build gnutls so that it uses "pkcs11:" CA
>>>>> URL by default without every app having to specify it?
>>>> configure --with-default-trust-store-pkcs11=pkcs11: ?
>>> Bingo. Thanks.
>> That's exactly how I would like to have gnutls configured on openSUSE
>> by default. I'll try your gnutls patch. Thanks!
> One thing to note is that gnutls only looks up anchors, and doesn't
> check blacklists. That's fine, it's a good start.
Ah, gnutls doesn't know about the trusted usages. So I can't use
pkcs11 as store in the distro yet.
Doesn't seem to work properly anyways (full debug log attached):
$ p11tool --list-all-trusted
Type: X.509 Certificate
Label: Entrust.net Premium 2048 Secure Server CA
Error in pkcs11_list:191: ASN1 parser: Error in DER parsing.
(o_ Ludwig Nussel
SUSE LINUX Products GmbH, GF: Jeff Hawn, Jennifer Guild, Felix Imendörffer, HRB 16746 (AG Nürnberg)
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 7457 bytes
Desc: not available
More information about the p11-glue