[gnutls-dev] gnutls_certificate_verify_peers2() does not handle expirations

Rupert Kittinger rkit at mur.at
Fri Jun 3 15:53:03 CEST 2005

Hi everybody,

I think the x509 certificate check performed by 
gnutls_certificate_verify_peers2() is not sufficient, because it does not 
validate the various time constraints (activation/expiration of 
certificates, CAs, CRLs).

I propose adding the following function:

int gnutls_certificate_verify_peers3 (gnutls_session session, unsigned int 
* status, time_t then) 

that has the following semantics:
- perform the same checks as gnutls_certificate_verify_peers2()
- for every certificate in the chain, check for activation and expiration
- if a crl is available for a CA and the nextUpdate field is available,
  check for expiration. 

add validation flags for the new error conditions.

with the current API, these checks can only be performed by duplicating 
some of the code to get to the certificates, resp. crls.

also, I did not find any checks for unknown critical extensions. As far as 
I know, these should also cause validation failure. Did I overlook 


Rupert Kittinger <rkit at mur.at>

More information about the Gnutls-devel mailing list