[PATCH 0/3] Add CRL checking to server and client (v2)

[PATCH 0/3] Add CRL checking to server and client (v2)

[Rik Theys]

These patches add CRL checking to the TLS client and server code.

It introduces an x509.crl configuration option that specifies the
location of a CRL in PEM format.

The CRL (certificate revocation list) can be used by an administrator
to block access to certificates that should no longer be trusted
for some reason.

See https://github.com/oracle/ktls-utils/issues/103

The last two patches implement the suggestion from Long Xin.

Rik Theys (5):
  Add server-side CRL checking
  Add client-side CRL checking
  Add x509.crl option to man page.
  Move server-side CRL code to common function
  Move client-side CRL code to common function

 src/tlshd/client.c       | 68 ++++++++++++++++++++++++----------------
 src/tlshd/config.c       | 66 ++++++++++++++++++++++++++++++++++++++
 src/tlshd/server.c       | 63 ++++++++++++++++++++++++-------------
 src/tlshd/tlshd.conf.man |  9 +++++-
 src/tlshd/tlshd.h        |  2 ++
 5 files changed, 158 insertions(+), 50 deletions(-)

-- 
2.49.0

[PATCH 1/5] Add server-side CRL checking

[Rik Theys]

If an x509.crl option is specified in the authenticate.server
section of the configuration file, use it as a certificate
revocation list.

Signed-off-by: Rik Theys <Rik.Theys@gmail.com>
---
 src/tlshd/config.c | 33 +++++++++++++++++++++++++++++++++
 src/tlshd/server.c | 14 ++++++++++++++
 src/tlshd/tlshd.h  |  1 +
 3 files changed, 48 insertions(+)

diff --git a/src/tlshd/config.c b/src/tlshd/config.c
index be5d472..1963116 100644
--- a/src/tlshd/config.c
+++ b/src/tlshd/config.c
@@ -350,6 +350,39 @@ bool tlshd_config_get_server_truststore(char **bundle)
 	return true;
 }
 
+/**
+ * tlshd_config_get_server_crl - Get CRL for ServerHello from .conf
+ * @bundle: OUT: pathname to CRL
+ *
+ * Return values:
+ *   %false: pathname not retrieved
+ *   %true: pathname retrieved successfully; caller must free @bundle using free(3)
+ */
+bool tlshd_config_get_server_crl(char **bundle)
+{
+	GError *error = NULL;
+	gchar *pathname;
+
+	pathname = g_key_file_get_string(tlshd_configuration, "authenticate.server",
+					 "x509.crl", &error);
+	if (!pathname) {
+		g_error_free(error);
+		return false;
+	} else if (access(pathname, F_OK)) {
+		tlshd_log_debug("server x509.crl pathname \"%s\" is not accessible", pathname);
+		g_free(pathname);
+		return false;
+	}
+
+	*bundle = strdup(pathname);
+	g_free(pathname);
+	if (!*bundle)
+		return false;
+
+	tlshd_log_debug("Server x.509 crl is %s", *bundle);
+	return true;
+}
+
 /**
  * tlshd_config_get_server_certs - Get certs for ServerHello from .conf
  * @certs: OUT: in-memory certificates
diff --git a/src/tlshd/server.c b/src/tlshd/server.c
index 72ff6f5..bf4b740 100644
--- a/src/tlshd/server.c
+++ b/src/tlshd/server.c
@@ -219,6 +219,7 @@ static void tlshd_tls13_server_x509_handshake(struct tlshd_handshake_parms *parm
 	gnutls_certificate_credentials_t xcred;
 	gnutls_session_t session;
 	char *cafile;
+	char *crlfile;
 	int ret;
 
 	ret = gnutls_certificate_allocate_credentials(&xcred);
@@ -239,6 +240,19 @@ static void tlshd_tls13_server_x509_handshake(struct tlshd_handshake_parms *parm
 	}
 	tlshd_log_debug("System trust: Loaded %d certificate(s).", ret);
 
+	if (tlshd_config_get_server_crl(&crlfile)) {
+		ret = gnutls_certificate_set_x509_crl_file(xcred, crlfile,
+							   GNUTLS_X509_FMT_PEM);
+		free(crlfile);
+		if (ret < 0 ) {
+			tlshd_log_gnutls_error(ret);
+			goto out_free_creds;
+		}
+		tlshd_log_debug("System CRL: Loaded %d CRL(s).", ret);
+	} else {
+		tlshd_log_debug("System CRL: No CRL file configured.");
+	}
+
 	if (!tlshd_x509_server_get_certs(parms)) {
 		goto out_free_creds;
 	}
diff --git a/src/tlshd/tlshd.h b/src/tlshd/tlshd.h
index 135e1e0..617d1c6 100644
--- a/src/tlshd/tlshd.h
+++ b/src/tlshd/tlshd.h
@@ -61,6 +61,7 @@ bool tlshd_config_get_client_certs(gnutls_pcert_st *certs,
 				   unsigned int *certs_len);
 bool tlshd_config_get_client_privkey(gnutls_privkey_t *privkey);
 bool tlshd_config_get_server_truststore(char **bundle);
+bool tlshd_config_get_server_crl(char **bundle);
 bool tlshd_config_get_server_certs(gnutls_pcert_st *certs,
 				   unsigned int *certs_len);
 bool tlshd_config_get_server_privkey(gnutls_privkey_t *privkey);
-- 
2.49.0

[PATCH 2/5] Add client-side CRL checking

[Rik Theys]

If an x509.crl option is specifiedin the authenticate.client
section of the configuration file, use it as a certificate
revocation list.

This commit only adds the check for tcp based TLS sessions.
Support for QUIC still needs to be added.

Signed-off-by: Rik Theys <Rik.Theys@gmail.com>
---
 src/tlshd/client.c | 28 ++++++++++++++++++++++++++++
 src/tlshd/config.c | 33 +++++++++++++++++++++++++++++++++
 src/tlshd/tlshd.h  |  1 +
 3 files changed, 62 insertions(+)

diff --git a/src/tlshd/client.c b/src/tlshd/client.c
index 9c8f512..189452f 100644
--- a/src/tlshd/client.c
+++ b/src/tlshd/client.c
@@ -49,6 +49,7 @@ static void tlshd_tls13_client_anon_handshake(struct tlshd_handshake_parms *parm
 	gnutls_session_t session;
 	unsigned int flags;
 	char *cafile;
+	char *crlfile;
 	int ret;
 
 	ret = gnutls_certificate_allocate_credentials(&xcred);
@@ -77,6 +78,19 @@ static void tlshd_tls13_client_anon_handshake(struct tlshd_handshake_parms *parm
 	}
 	tlshd_log_debug("System trust: Loaded %d certificate(s).", ret);
 
+	if (tlshd_config_get_client_crl(&crlfile)) {
+		ret = gnutls_certificate_set_x509_crl_file(xcred, crlfile,
+							   GNUTLS_X509_FMT_PEM);
+		free(crlfile);
+		if (ret < 0 ) {
+			tlshd_log_gnutls_error(ret);
+			goto out_free_creds;
+		}
+		tlshd_log_debug("System CRL: Loaded %d CRL(s).", ret);
+	} else {
+		tlshd_log_debug("System CRL: No CRL file configured.");
+	}
+
 	flags = GNUTLS_CLIENT;
 	ret = gnutls_init(&session, flags);
 	if (ret != GNUTLS_E_SUCCESS) {
@@ -275,6 +289,7 @@ static void tlshd_tls13_client_x509_handshake(struct tlshd_handshake_parms *parm
 	gnutls_session_t session;
 	unsigned int flags;
 	char *cafile;
+	char *crlfile;
 	int ret;
 
 	ret = gnutls_certificate_allocate_credentials(&xcred);
@@ -295,6 +310,19 @@ static void tlshd_tls13_client_x509_handshake(struct tlshd_handshake_parms *parm
 	}
 	tlshd_log_debug("System trust: Loaded %d certificate(s).", ret);
 
+	if (tlshd_config_get_client_crl(&crlfile)) {
+		ret = gnutls_certificate_set_x509_crl_file(xcred, crlfile,
+							   GNUTLS_X509_FMT_PEM);
+		free(crlfile);
+		if (ret < 0 ) {
+			tlshd_log_gnutls_error(ret);
+			goto out_free_creds;
+		}
+		tlshd_log_debug("System CRL: Loaded %d CRL(s).", ret);
+	} else {
+		tlshd_log_debug("System CRL: No CRL file configured.");
+	}
+
 	if (!tlshd_x509_client_get_certs(parms))
 		goto out_free_creds;
 	if (!tlshd_x509_client_get_privkey(parms))
diff --git a/src/tlshd/config.c b/src/tlshd/config.c
index 1963116..7041fe9 100644
--- a/src/tlshd/config.c
+++ b/src/tlshd/config.c
@@ -212,6 +212,39 @@ bool tlshd_config_get_client_truststore(char **bundle)
 	return true;
 }
 
+/**
+ * tlshd_config_get_client_crl - Get CRL for ClientHello from .conf
+ * @bundle: OUT: pathname to CRL
+ *
+ * Return values:
+ *   %false: pathname not retrieved
+ *   %true: pathname retrieved successfully; caller must free @bundle using free(3)
+ */
+bool tlshd_config_get_client_crl(char **bundle)
+{
+	GError *error = NULL;
+	gchar *pathname;
+
+	pathname = g_key_file_get_string(tlshd_configuration, "authenticate.client",
+					 "x509.crl", &error);
+	if (!pathname) {
+		g_error_free(error);
+		return false;
+	} else if (access(pathname, F_OK)) {
+		tlshd_log_debug("client x509.crl pathname \"%s\" is not accessible", pathname);
+		g_free(pathname);
+		return false;
+	}
+
+	*bundle = strdup(pathname);
+	g_free(pathname);
+	if (!*bundle)
+		return false;
+
+	tlshd_log_debug("Client x.509 crl is %s", *bundle);
+	return true;
+}
+
 /**
  * tlshd_config_get_client_certs - Get certs for ClientHello from .conf
  * @certs: OUT: in-memory certificates
diff --git a/src/tlshd/tlshd.h b/src/tlshd/tlshd.h
index 617d1c6..f674cae 100644
--- a/src/tlshd/tlshd.h
+++ b/src/tlshd/tlshd.h
@@ -57,6 +57,7 @@ extern void tlshd_quic_clienthello_handshake(struct tlshd_handshake_parms *parms
 bool tlshd_config_init(const gchar *pathname);
 void tlshd_config_shutdown(void);
 bool tlshd_config_get_client_truststore(char **bundle);
+bool tlshd_config_get_client_crl(char **bundle);
 bool tlshd_config_get_client_certs(gnutls_pcert_st *certs,
 				   unsigned int *certs_len);
 bool tlshd_config_get_client_privkey(gnutls_privkey_t *privkey);
-- 
2.49.0

[PATCH 3/5] Add x509.crl option to man page.

[Rik Theys]

Update the man page to include the x509.crl option available
in the authenticate.server and authenticate.client section.

Signed-off-by: Rik Theys <Rik.Theys@gmail.com>
---
 src/tlshd/tlshd.conf.man | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/src/tlshd/tlshd.conf.man b/src/tlshd/tlshd.conf.man
index 9d6d92f..745058a 100644
--- a/src/tlshd/tlshd.conf.man
+++ b/src/tlshd/tlshd.conf.man
@@ -94,7 +94,7 @@ and it consults the settings in the
 .I [server]
 subsection when handling the server end of a handshake.
 .P
-In each of these two subsections, there are three available options:
+In each of these two subsections, there are four available options:
 .TP
 .B x509.truststore
 This option specifies the pathname of a file containing a
@@ -104,6 +104,13 @@ If this option is not specified,
 .B tlshd
 uses the system's trust store.
 .TP
+.B x509.crl
+This option specifies the pathname of a file containing a
+PEM-encoded certificate revocation list (CRL) that is to be
+used to verify the revocation status of a certificate during
+a handshake.
+If this option is not specified, no CRL checking takes place.
+.TP
 .B x509.certificate
 This option specifies the pathname of a file containing
 a PEM-encoded x.509 certificate that is to be presented during
-- 
2.49.0

[PATCH 4/5] Move server-side CRL code to common function

[Rik Theys]

The code that configures the CRL is needed in both the TLS
and QUIC setup functions. Move the code that configures the
certificate and CRL into a separate function and call it from
tlshd_tls13_server_x509_handshake for TLS and
tlshd_quic_server_set_x509_session for QUIC.

Signed-off-by: Rik Theys <Rik.Theys@gmail.com>
---
 src/tlshd/server.c | 73 +++++++++++++++++++++++++---------------------
 1 file changed, 39 insertions(+), 34 deletions(-)

diff --git a/src/tlshd/server.c b/src/tlshd/server.c
index bf4b740..f0e83ff 100644
--- a/src/tlshd/server.c
+++ b/src/tlshd/server.c
@@ -207,27 +207,13 @@ certificate_error:
 	return GNUTLS_E_CERTIFICATE_ERROR;
 }
 
-static int tlshd_tls13_server_x509_verify_function(gnutls_session_t session)
-{
-	struct tlshd_handshake_parms *parms = gnutls_session_get_ptr(session);
-
-	return tlshd_server_x509_verify_function(session, parms);
-}
-
-static void tlshd_tls13_server_x509_handshake(struct tlshd_handshake_parms *parms)
+static int tlshd_server_configure_credentials(gnutls_certificate_credentials_t
+					      xcred)
 {
-	gnutls_certificate_credentials_t xcred;
-	gnutls_session_t session;
-	char *cafile;
 	char *crlfile;
+	char *cafile;
 	int ret;
 
-	ret = gnutls_certificate_allocate_credentials(&xcred);
-	if (ret != GNUTLS_E_SUCCESS) {
-		tlshd_log_gnutls_error(ret);
-		return;
-	}
-
 	if (tlshd_config_get_server_truststore(&cafile)) {
 		ret = gnutls_certificate_set_x509_trust_file(xcred, cafile,
 							     GNUTLS_X509_FMT_PEM);
@@ -235,8 +221,7 @@ static void tlshd_tls13_server_x509_handshake(struct tlshd_handshake_parms *parm
 	} else
 		ret = gnutls_certificate_set_x509_system_trust(xcred);
 	if (ret < 0) {
-		tlshd_log_gnutls_error(ret);
-		goto out_free_creds;
+		return ret;
 	}
 	tlshd_log_debug("System trust: Loaded %d certificate(s).", ret);
 
@@ -245,22 +230,50 @@ static void tlshd_tls13_server_x509_handshake(struct tlshd_handshake_parms *parm
 							   GNUTLS_X509_FMT_PEM);
 		free(crlfile);
 		if (ret < 0 ) {
-			tlshd_log_gnutls_error(ret);
-			goto out_free_creds;
+			return ret;
 		}
 		tlshd_log_debug("System CRL: Loaded %d CRL(s).", ret);
 	} else {
 		tlshd_log_debug("System CRL: No CRL file configured.");
 	}
 
+	gnutls_certificate_set_retrieve_function2(xcred,
+						  tlshd_x509_retrieve_key_cb);
+
+	return GNUTLS_E_SUCCESS;
+}
+
+static int tlshd_tls13_server_x509_verify_function(gnutls_session_t session)
+{
+	struct tlshd_handshake_parms *parms = gnutls_session_get_ptr(session);
+
+	return tlshd_server_x509_verify_function(session, parms);
+}
+
+static void tlshd_tls13_server_x509_handshake(struct tlshd_handshake_parms *parms)
+{
+	gnutls_certificate_credentials_t xcred;
+	gnutls_session_t session;
+	int ret;
+
+	ret = gnutls_certificate_allocate_credentials(&xcred);
+	if (ret != GNUTLS_E_SUCCESS) {
+		tlshd_log_gnutls_error(ret);
+		return;
+	}
+
+	ret = tlshd_server_configure_credentials(xcred);
+	if (ret != GNUTLS_E_SUCCESS) {
+		tlshd_log_gnutls_error(ret);
+		goto out_free_creds;
+	}
+
 	if (!tlshd_x509_server_get_certs(parms)) {
 		goto out_free_creds;
 	}
 	if (!tlshd_x509_server_get_privkey(parms)) {
 		goto out_free_creds;
 	}
-	gnutls_certificate_set_retrieve_function2(xcred,
-						  tlshd_x509_retrieve_key_cb);
 
 	ret = gnutls_init(&session, GNUTLS_SERVER);
 	if (ret != GNUTLS_E_SUCCESS) {
@@ -479,7 +492,6 @@ static int tlshd_quic_server_set_x509_session(struct tlshd_quic_conn *conn)
 	gnutls_datum_t ticket_key;
 	gnutls_session_t session;
 	int ret = -EINVAL;
-	char *cafile;
 
 	if (!tlshd_x509_server_get_certs(parms) || !tlshd_x509_server_get_privkey(parms)) {
 		tlshd_log_error("cert/privkey get error %d", -ret);
@@ -489,17 +501,10 @@ static int tlshd_quic_server_set_x509_session(struct tlshd_quic_conn *conn)
 	ret = gnutls_certificate_allocate_credentials(&cred);
 	if (ret)
 		goto err;
-	if (tlshd_config_get_server_truststore(&cafile)) {
-		ret = gnutls_certificate_set_x509_trust_file(cred, cafile,
-							     GNUTLS_X509_FMT_PEM);
-		free(cafile);
-	} else
-		ret = gnutls_certificate_set_x509_system_trust(cred);
-	if (ret < 0)
-		goto err_cred;
-	tlshd_log_debug("System trust: Loaded %d certificate(s).", ret);
 
-	gnutls_certificate_set_retrieve_function2(cred, tlshd_x509_retrieve_key_cb);
+	ret = tlshd_server_configure_credentials(cred);
+	if (ret != GNUTLS_E_SUCCESS)
+		goto err;
 
 	gnutls_certificate_set_verify_function(cred, tlshd_quic_server_x509_verify_function);
 
-- 
2.49.0

[PATCH 5/5] Move client-side CRL code to common function

[Rik Theys]

The code that configures the CRL is needed in both the TLS and
QUIC setup functions. Move the code that configures the CA
certificates and CRL into a separate function and call it from
the anon/mtls TLS and QUIC setup functions.

Signed-off-by: Rik Theys <Rik.Theys@gmail.com>
---
 src/tlshd/client.c | 94 ++++++++++++++++++++--------------------------
 1 file changed, 40 insertions(+), 54 deletions(-)

diff --git a/src/tlshd/client.c b/src/tlshd/client.c
index 189452f..6fb507a 100644
--- a/src/tlshd/client.c
+++ b/src/tlshd/client.c
@@ -43,29 +43,13 @@
 #include "tlshd.h"
 #include "netlink.h"
 
-static void tlshd_tls13_client_anon_handshake(struct tlshd_handshake_parms *parms)
+static int tlshd_client_configure_credentials(gnutls_certificate_credentials_t
+					      xcred)
 {
-	gnutls_certificate_credentials_t xcred;
-	gnutls_session_t session;
-	unsigned int flags;
 	char *cafile;
 	char *crlfile;
 	int ret;
 
-	ret = gnutls_certificate_allocate_credentials(&xcred);
-	if (ret != GNUTLS_E_SUCCESS) {
-		tlshd_log_gnutls_error(ret);
-		return;
-	}
-
-	/*
-	 * Don't reject self-signed server certificates.
-	 */
-	gnutls_certificate_set_verify_flags(xcred,
-			GNUTLS_VERIFY_ALLOW_SIGN_RSA_MD2 | GNUTLS_VERIFY_ALLOW_SIGN_RSA_MD5);
-	gnutls_certificate_set_flags(xcred,
-			GNUTLS_CERTIFICATE_SKIP_KEY_CERT_MATCH | GNUTLS_CERTIFICATE_SKIP_OCSP_RESPONSE_CHECK);
-
 	if (tlshd_config_get_client_truststore(&cafile)) {
 		ret = gnutls_certificate_set_x509_trust_file(xcred, cafile,
 							     GNUTLS_X509_FMT_PEM);
@@ -73,8 +57,7 @@ static void tlshd_tls13_client_anon_handshake(struct tlshd_handshake_parms *parm
 	} else
 		ret = gnutls_certificate_set_x509_system_trust(xcred);
 	if (ret < 0) {
-		tlshd_log_gnutls_error(ret);
-		goto out_free_creds;
+		return ret;
 	}
 	tlshd_log_debug("System trust: Loaded %d certificate(s).", ret);
 
@@ -83,14 +66,43 @@ static void tlshd_tls13_client_anon_handshake(struct tlshd_handshake_parms *parm
 							   GNUTLS_X509_FMT_PEM);
 		free(crlfile);
 		if (ret < 0 ) {
-			tlshd_log_gnutls_error(ret);
-			goto out_free_creds;
+			return ret;
 		}
 		tlshd_log_debug("System CRL: Loaded %d CRL(s).", ret);
 	} else {
 		tlshd_log_debug("System CRL: No CRL file configured.");
 	}
 
+	return GNUTLS_E_SUCCESS;
+}
+
+static void tlshd_tls13_client_anon_handshake(struct tlshd_handshake_parms *parms)
+{
+	gnutls_certificate_credentials_t xcred;
+	gnutls_session_t session;
+	unsigned int flags;
+	int ret;
+
+	ret = gnutls_certificate_allocate_credentials(&xcred);
+	if (ret != GNUTLS_E_SUCCESS) {
+		tlshd_log_gnutls_error(ret);
+		return;
+	}
+
+	/*
+	 * Don't reject self-signed server certificates.
+	 */
+	gnutls_certificate_set_verify_flags(xcred,
+			GNUTLS_VERIFY_ALLOW_SIGN_RSA_MD2 | GNUTLS_VERIFY_ALLOW_SIGN_RSA_MD5);
+	gnutls_certificate_set_flags(xcred,
+			GNUTLS_CERTIFICATE_SKIP_KEY_CERT_MATCH | GNUTLS_CERTIFICATE_SKIP_OCSP_RESPONSE_CHECK);
+
+	ret = tlshd_client_configure_credentials(xcred);
+	if (ret != GNUTLS_E_SUCCESS) {
+		tlshd_log_gnutls_error(ret);
+		goto out_free_creds;
+	}
+
 	flags = GNUTLS_CLIENT;
 	ret = gnutls_init(&session, flags);
 	if (ret != GNUTLS_E_SUCCESS) {
@@ -288,8 +300,6 @@ static void tlshd_tls13_client_x509_handshake(struct tlshd_handshake_parms *parm
 	gnutls_certificate_credentials_t xcred;
 	gnutls_session_t session;
 	unsigned int flags;
-	char *cafile;
-	char *crlfile;
 	int ret;
 
 	ret = gnutls_certificate_allocate_credentials(&xcred);
@@ -298,30 +308,11 @@ static void tlshd_tls13_client_x509_handshake(struct tlshd_handshake_parms *parm
 		return;
 	}
 
-	if (tlshd_config_get_client_truststore(&cafile)) {
-		ret = gnutls_certificate_set_x509_trust_file(xcred, cafile,
-							     GNUTLS_X509_FMT_PEM);
-		free(cafile);
-	} else
-		ret = gnutls_certificate_set_x509_system_trust(xcred);
-	if (ret < 0) {
+	ret = tlshd_client_configure_credentials(xcred);
+	if (ret != GNUTLS_E_SUCCESS) {
 		tlshd_log_gnutls_error(ret);
 		goto out_free_creds;
 	}
-	tlshd_log_debug("System trust: Loaded %d certificate(s).", ret);
-
-	if (tlshd_config_get_client_crl(&crlfile)) {
-		ret = gnutls_certificate_set_x509_crl_file(xcred, crlfile,
-							   GNUTLS_X509_FMT_PEM);
-		free(crlfile);
-		if (ret < 0 ) {
-			tlshd_log_gnutls_error(ret);
-			goto out_free_creds;
-		}
-		tlshd_log_debug("System CRL: Loaded %d CRL(s).", ret);
-	} else {
-		tlshd_log_debug("System CRL: No CRL file configured.");
-	}
 
 	if (!tlshd_x509_client_get_certs(parms))
 		goto out_free_creds;
@@ -517,7 +508,6 @@ static int tlshd_quic_client_set_x509_session(struct tlshd_quic_conn *conn)
 	gnutls_certificate_credentials_t cred;
 	gnutls_session_t session;
 	int ret = -EINVAL;
-	char *cafile;
 
 	if (conn->cert_req != TLSHD_QUIC_NO_CERT_AUTH) {
 		if (!tlshd_x509_client_get_certs(parms) || !tlshd_x509_client_get_privkey(parms)) {
@@ -528,14 +518,10 @@ static int tlshd_quic_client_set_x509_session(struct tlshd_quic_conn *conn)
 	ret = gnutls_certificate_allocate_credentials(&cred);
 	if (ret)
 		goto err;
-	if (tlshd_config_get_client_truststore(&cafile)) {
-		ret = gnutls_certificate_set_x509_trust_file(cred, cafile, GNUTLS_X509_FMT_PEM);
-		free(cafile);
-	} else
-		ret = gnutls_certificate_set_x509_system_trust(cred);
-	if (ret < 0)
-		goto err_cred;
-	tlshd_log_debug("System trust: Loaded %d certificate(s).", ret);
+
+	ret = tlshd_client_configure_credentials(cred);
+	if (ret != GNUTLS_E_SUCCESS)
+		goto err;
 
 	if (conn->cert_req == TLSHD_QUIC_NO_CERT_AUTH) {
 		gnutls_certificate_set_verify_flags(cred, GNUTLS_VERIFY_ALLOW_SIGN_RSA_MD2 |
-- 
2.49.0