how to make gnutls trust p11-kit's ca-anchors?

Ludwig Nussel ludwig.nussel at
Thu Jul 25 05:08:22 PDT 2013

Stef Walter wrote:
> On 04.07.2013 18:08, Ludwig Nussel wrote:
>> Stef Walter wrote:
>>> On 04.07.2013 16:19, David Woodhouse wrote:
>>>> On Thu, 2013-07-04 at 16:17 +0200, Stef Walter wrote:
>>>>> Nikos, is there a way to build gnutls so that it uses "pkcs11:" CA
>>>>> trust
>>>>> URL by default without every app having to specify it?
>>>> configure --with-default-trust-store-pkcs11=pkcs11: ?
>>> Bingo. Thanks.
>> That's exactly how I would like to have gnutls configured on openSUSE
>> by default. I'll try your gnutls patch. Thanks!
> One thing to note is that gnutls only looks up anchors, and doesn't
> check blacklists. That's fine, it's a good start.

Ah, gnutls doesn't know about the trusted usages. So I can't use
pkcs11 as store in the distro yet.
Doesn't seem to work properly anyways (full debug log attached):
$ p11tool --list-all-trusted
Object 0:
	URL: pkcs11:model=p11-kit-trust;manufacturer=PKCS%2311%20Kit;serial=1;token=Default%20Trust;id=%55%e4%81%d1%11%80%be%d8%89%b9%08%a3%31%f9%a1%24%09%16%b9%70;;object-type=cert
	Type: X.509 Certificate
	Label: Premium 2048 Secure Server CA
	ID: 55:e4:81:d1:11:80:be:d8:89:b9:08:a3:31:f9:a1:24:09:16:b9:70
Error in pkcs11_list:191: ASN1 parser: Error in DER parsing.


  (o_   Ludwig Nussel
SUSE LINUX Products GmbH, GF: Jeff Hawn, Jennifer Guild, Felix Imendörffer, HRB 16746 (AG Nürnberg)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: p11tool.log
Type: text/x-log
Size: 7457 bytes
Desc: not available
URL: <>

More information about the p11-glue mailing list