Join GitHub today
GitHub is home to over 28 million developers working together to host and review code, manage projects, and build software together.Sign up
Difference in sending TLS client cert with Issuer DN list mismatch #1411
TLS servers may request a certificate from the client. This request includes a list of 0 or more acceptable issuer DNs. The client may use this list to determine which certificate to send. In curl, when the specified client certificate doesn't match any of the server-specified DNs, the OpenSSL and GnuTLS backends behave differently.
I did this
Here I'm running a simple TLS server that requests client certificates with an issuer CN=serv.
(Note: you can have the server send an empty issuer DN list by omitting the
Generate a client cert with a different issuer (CN=clnt):
Try connecting with the OpenSSL backend:
The client certificate is sent.
With the GnuTLS backend:
No client certificate is sent.
I expected the following
I expected that GnuTLS and OpenSSL backends would behave the same. In particular, I would have a preference for the GnuTLS backend behaving like the OpenSSL backend. To do that, look at
Wouldn't it be enough to add GNUTLS_FORCE_CLIENT_CERT flag to gnutls_init function call in