[gnutls-devel] Unable to trust server certificate instead of issueing CA

Daniel Kahn Gillmor dkg at fifthhorseman.net
Thu Dec 4 18:40:49 CET 2014


On 12/04/2014 09:27 AM, Nikos Mavrogiannopoulos wrote:
> . Please feel free to point out any locations in the documentation
> that could be improved.

What do you think about propagating a warning out to the calling app if
any of the certs loaded by gnutls_certificate_set_x509_trust_file() has
CA:false ?

(i'm not suggesting this is the only documentation change needed, i'm
just thinking through how to communicate this subtle semantic API shift
to users and downstream developers)

Do you think there's any additional interface that needs to be added to
gnutls-cli to load (<peername>,<peercert>) bindings, or should we expect
people to use --tofu for this purpose?

	--dkg

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 949 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20141204/ac2759c2/attachment-0001.sig>


More information about the Gnutls-devel mailing list