[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Help-gnutls] Re: CA cert verification
From: |
Simon Josefsson |
Subject: |
[Help-gnutls] Re: CA cert verification |
Date: |
Wed, 24 Aug 2005 12:15:52 +0200 |
User-agent: |
Gnus/5.110004 (No Gnus v0.4) Emacs/22.0.50 (gnu/linux) |
Daniel Stenberg <address@hidden> writes:
> On Wed, 24 Aug 2005, Simon Josefsson wrote:
>
>> address@hidden:~$ gnutls-cli --x509cafile
>> /usr/share/curl/curl-ca-bundle.crt gmail.google.com
>
> The key difference turns out to be:
>
> gnutls_certificate_set_verify_flags(cred,
> GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT);
>
> Which gnutls-cli sets and I didn't. When I use this, I can
> successfully verify this server's certificate!
>
> Perhaps the gnutls_certificate_verify_peers2() description in the docs could
> hint about the possibility that this is needed?
Good idea, I added:
* Note that some commonly used X.509 Certificate Authorities are
* still using Version 1 certificates. If you want to accept them,
* you need to call gnutls_certificate_set_verify_flags() with, e.g.,
* %GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT parameter.
> Another little nit that is slightly related:
>
> gnutls-cli uses the gnutls_certificate_verify_peers() function
> (alias, not the *2 version), there are numerous references to this
> function in the docs but there's no description for it... I take it
> the gnutls_certificate_verify_peers2() is the one we should be
> using, but it would probably be suitable if gnutls-cli was switched
> to use it and if the references in the docs were updated as well.
I fixed all reference to gnutls_certificate_verify_peers in the
documentation that I could find. If you find any remaining
occurrences, let me know. I also made the old function documented in
GTK-DOC again, but with a reference to the new function. I fixed
gnutls-cli too.
Frankly, I'm not sure why gnutls_certificate_verify_peers is
deprecated. The return values are negative for "real" errors, zero
for success and positive for "soft" verification errors. Nikos?
Thanks,
Simon
- [Help-gnutls] CA cert verification, Daniel Stenberg, 2005/08/22
- Re: [Help-gnutls] CA cert verification, Nikos Mavrogiannopoulos, 2005/08/23
- Re: [Help-gnutls] CA cert verification, Daniel Stenberg, 2005/08/23
- Re: [Help-gnutls] CA cert verification, Daniel Stenberg, 2005/08/23
- [Help-gnutls] Re: CA cert verification, Simon Josefsson, 2005/08/23
- [Help-gnutls] Re: CA cert verification, Daniel Stenberg, 2005/08/23
- [Help-gnutls] Re: CA cert verification, Daniel Stenberg, 2005/08/24
- [Help-gnutls] Re: CA cert verification,
Simon Josefsson <=
- Re: [Help-gnutls] Re: CA cert verification, Martin Lambers, 2005/08/24
- Re: [Help-gnutls] Re: CA cert verification, Nikos Mavrogiannopoulos, 2005/08/24
- Re: [Help-gnutls] Re: CA cert verification, Nikos Mavrogiannopoulos, 2005/08/24
- [Help-gnutls] Re: CA cert verification, Simon Josefsson, 2005/08/25