On Tue, Nov 5, 2013 at 4:14 PM, David Woodhouse <dwmw2 at infradead.org> wrote: > If either of them are responsible for signing your personal cert, then > OpenConnect will include them in its SSL negotiation, and that can often > 'help' the server to realise that it actually *does* trust the cert in > question. > If that's the issue, then perhaps OpenConnect needs to be taught to go > looking for these 'supporting' certs in the PKCS#11 store, as well as > the --cafile. But then again, perhaps GnuTLS ought to do that for > itself. > Nikos? Indeed, that's a nice feature and not too difficult to be implemented as PKCS #11 allows searching stored certificates using a DN. It is on my todo-list for quite some time but never found the time for that. Patches are (of course) more than welcome! regards, Nikos
