search

raggi / openssl-osx-ca

Simple periodic task to sync OSX Keychain certs to Homebrew installed OpenSSL & LibreSSL
Other
224 stars 24 forks source link

Add support for gnutls #23

Open raggi opened 3 years ago

raggi commented 3 years ago

Brew installed gnutls also gets a cert.pem of the same general format, so it can be supported in the same way.

Firefishy commented 3 years ago

Heads up gnutls appears to be slightly more strict on what is considers to be a CA certificate.

Using the cert.pem generated by this script there are a few certs which cause a warning to be displayed by gnutls:

$ gnutls-cli google.com
|<1>| There was a non-CA certificate in the trusted list: CN=com.apple.systemdefault,O=System Identity.
|<1>| There was a non-CA certificate in the trusted list: CN=com.apple.kerberos.kdc,O=System Identity.
...
Processed 173 CA certificate(s).
Resolving 'google.com:443'...
Connecting to '2a00:1450:4009:80b::200e:443'...
- Certificate type: X.509

gnutls still functions correctly.