trusted intermediate CAs

Nikos Mavrogiannopoulos n.mavrogiannopoulos at gmail.com
Thu Nov 13 16:31:41 CET 2008


On Thu, Nov 13, 2008 at 1:27 AM, Daniel Kahn Gillmor
<dkg at fifthhorseman.net> wrote:
>> the library doesn't export any high level verification function to
>> verify certificate chains.
>
> What about gnutls_x509_crt_list_verify() and
> gnutls_certificate_verify_peers2() ?  The latter is used in src/srv.c
> and srv/cli.c, and i think it calls the former under the hood (using
> data from the TLS session to fill in the specific parameters).
>
> Those seem like high-level functions to verify certificate chains to
> me.  Did you mean something else?

No. But they are not high level functions. There are no hooks to print
any useful
information like certtool is printing for each verification.

> I think it would be really useful to have certtool reflect the
> internal workings of GnuTLS as closely as possible, not least for the
> sake of providing tools to help admins who are trying to debug/test
> GnuTLS-based applications.

I agree. We can add it as a todo item.

regards,
Nikos





More information about the Gnutls-devel mailing list