On Thu, Nov 7, 2013 at 5:08 PM, Nikos Mavrogiannopoulos <n.mavrogiannopoulos at gmail.com> wrote: >> If either of them are responsible for signing your personal cert, then >> OpenConnect will include them in its SSL negotiation, and that can often >> 'help' the server to realise that it actually *does* trust the cert in >> question. >> If that's the issue, then perhaps OpenConnect needs to be taught to go >> looking for these 'supporting' certs in the PKCS#11 store, as well as >> the --cafile. But then again, perhaps GnuTLS ought to do that for >> itself. >> Nikos? > Indeed, that's a nice feature and not too difficult to be implemented > as PKCS #11 allows searching stored certificates using a DN. It is on > my todo-list for quite some time but never found the time for that. > Patches are (of course) more than welcome! Ok, it seems I've managed to implement it. If you're using gnutls_certificate_set_x509_key_file() then the full chain will be loaded when using the version at the git repository (or 3.2.7 when that is released). regards, Nikos
