trusted intermediate CAs
n.mavrogiannopoulos at gmail.com
Thu Nov 13 16:31:41 CET 2008
On Thu, Nov 13, 2008 at 1:27 AM, Daniel Kahn Gillmor
<dkg at fifthhorseman.net> wrote:
>> the library doesn't export any high level verification function to
>> verify certificate chains.
> What about gnutls_x509_crt_list_verify() and
> gnutls_certificate_verify_peers2() ? The latter is used in src/srv.c
> and srv/cli.c, and i think it calls the former under the hood (using
> data from the TLS session to fill in the specific parameters).
> Those seem like high-level functions to verify certificate chains to
> me. Did you mean something else?
No. But they are not high level functions. There are no hooks to print
information like certtool is printing for each verification.
> I think it would be really useful to have certtool reflect the
> internal workings of GnuTLS as closely as possible, not least for the
> sake of providing tools to help admins who are trying to debug/test
> GnuTLS-based applications.
I agree. We can add it as a todo item.
More information about the Gnutls-devel