Sander Marechal <[email protected]> writes: > Hi, > > I'm the submitter of the bug at Debian. > > Nikos Mavrogiannopoulos wrote: >> Thanks for the report. I'll try to fix it as soon. However note that if >> you want to set all the list of ca-certificates.crt as the trusted list >> then probably you are doing something wrong. > > In my case I am building a website where people authenticate using a > client certificate. I extract the e-mail address from the client > certificate DN and match that against the database of known users. If > it's an unknown user then they can create an account. > > I don't want to babysit SSL certificates and sign them all myself. As > long as someone presents me with a certificate signed by someone I trust > (that would be all the CA's in ca-certificates) I want them to be able > to access the website. This is not some small, closed intranet or > something, but a website that anyone should be able to access. > > The only way I see to reduce the list of CA's that I need to load is to > figure out which of them don't give out client certificates. There's got > to be quite a few in that list that only give out server certificates.
You can increase MAX_CA_CRTS in includes/mod_gnutls.h.in manually, it is currently hard-coded to 128. Of course, the proper fix will be to make the allocation dynamic. /Simon -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected]
