[Help-gnutls] Re: CA cert verification
Simon Josefsson
jas at extundo.com
Wed Aug 24 12:15:52 CEST 2005
Daniel Stenberg <daniel at haxx.se> writes:
> On Wed, 24 Aug 2005, Simon Josefsson wrote:
>
>> jas at latte:~$ gnutls-cli --x509cafile
>> /usr/share/curl/curl-ca-bundle.crt gmail.google.com
>
> The key difference turns out to be:
>
> gnutls_certificate_set_verify_flags(cred,
> GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT);
>
> Which gnutls-cli sets and I didn't. When I use this, I can
> successfully verify this server's certificate!
>
> Perhaps the gnutls_certificate_verify_peers2() description in the docs could
> hint about the possibility that this is needed?
Good idea, I added:
* Note that some commonly used X.509 Certificate Authorities are
* still using Version 1 certificates. If you want to accept them,
* you need to call gnutls_certificate_set_verify_flags() with, e.g.,
* %GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT parameter.
> Another little nit that is slightly related:
>
> gnutls-cli uses the gnutls_certificate_verify_peers() function
> (alias, not the *2 version), there are numerous references to this
> function in the docs but there's no description for it... I take it
> the gnutls_certificate_verify_peers2() is the one we should be
> using, but it would probably be suitable if gnutls-cli was switched
> to use it and if the references in the docs were updated as well.
I fixed all reference to gnutls_certificate_verify_peers in the
documentation that I could find. If you find any remaining
occurrences, let me know. I also made the old function documented in
GTK-DOC again, but with a reference to the new function. I fixed
gnutls-cli too.
Frankly, I'm not sure why gnutls_certificate_verify_peers is
deprecated. The return values are negative for "real" errors, zero
for success and positive for "soft" verification errors. Nikos?
Thanks,
Simon
More information about the Gnutls-help
mailing list