[Help-gnutls] Re: CA cert verification

Nikos Mavrogiannopoulos nmav at gnutls.org
Wed Aug 24 19:41:24 CEST 2005


On Wednesday 24 August 2005 12:15, Simon Josefsson wrote:
[...]
> > The key difference turns out to be:
> >   gnutls_certificate_set_verify_flags(cred,
> >   			              GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT);
[...]
>   * Note that some commonly used X.509 Certificate Authorities are
>   * still using Version 1 certificates.  If you want to accept them,
>   * you need to call gnutls_certificate_set_verify_flags() with, e.g.,
>   * %GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT parameter.

Indeed, without this flag most of the old (really old) root certificates won't 
work. (it's funny that some of them even use md2!).

> I fixed all reference to gnutls_certificate_verify_peers in the
> documentation that I could find.  If you find any remaining
> occurrences, let me know.  I also made the old function documented in
> GTK-DOC again, but with a reference to the new function.  I fixed
> gnutls-cli too.
> Frankly, I'm not sure why gnutls_certificate_verify_peers is
> deprecated.  The return values are negative for "real" errors, zero
> for success and positive for "soft" verification errors.  Nikos?
The problem is that it very easy for this function to be misused. 
I didn't want to mix negative numbers and bit checking, that why I deprecated 
it. (and since it is deprecated it shouldn't be documented since it may be 
removed in future versions).

-- 
Nikos Mavrogiannopoulos





More information about the Gnutls-help mailing list