[gnutls-dev] Re: gnutls_certificate_verify_peers2() does not handle
expirations
Simon Josefsson
jas at extundo.com
Fri Jun 3 17:33:26 CEST 2005
Rupert Kittinger <rkit at mur.at> writes:
> On Fri, 3 Jun 2005, Simon Josefsson wrote:
>
>> Rupert Kittinger <rkit at mur.at> writes:
>>
>> > Hi everybody,
>> >
>> > I think the x509 certificate check performed by
>> > gnutls_certificate_verify_peers2() is not sufficient, because it does not
>> > validate the various time constraints (activation/expiration of
>> > certificates, CAs, CRLs).
>>
>> Right. That is intentional, even if it is unfortunate.
>>
>> Did you see the example in section 7.3.4 of the manual? It try to do
>> a bit more. Full verification of a certificate is application and
>> purpose dependent, so it is difficult to generalize.
>>
>
> I am quite aware of this. However, a lot of users of a library like
> this will not have detailed knowledge of X509 (and all its incarnations,
> sigh) and would profit from a "better safe than sorry" approach. Also, a
> detailed description of the algorithm used in the manual would be a great,
> if only for its educational value :-)
Right, and I agree. It would be useful to have the algorithm in the
gnutls_certificate_verify_peers3 function documentation; then it would
end up in the manual, and would be easy to validate against the source
code.
> I hope I find the time to do this. Maybe some other people reading this
> list care to provide feedback on an improved certificate validation
> algorithm?
I hope so too. As for implementation, taking what's in the 7.3.4
example and making a GnuTLS API function of it should be a good start.
The details in the algorithm can be enhanced further on.
Cheers,
Simon
More information about the Gnutls-dev
mailing list