[gnutls-devel] [PATCH V3] Check for all error conditions when verifying a certificate

Nikos Mavrogiannopoulos nmav at gnutls.org
Thu Sep 18 10:53:46 CEST 2014

On Wed, Sep 17, 2014 at 4:19 PM, Armin Burgmeier <armin at arbur.net> wrote:

>> So with your patch you'll get the status up to the point of first
>> failure. If the failure is in step 1 you'll get the full status for
>> CA->CA1 verification, but no flag will apply on ENDCERT. In your case
>> I think you verify against the scenario: CA -> ENDCERT, so you get
>> some reasonable flags. I don't know how reasonable these would be if
>> you are in a multiple CA scenario. Still it may make sense to do that
>> (in that case I should document that correctly), and I'm not sure
>> whether getting the flags of the 3 steps combined would offer much of
>> an advantage as they refer to multiple certificates. What do you think
>> of that? Is the current situation reasonable for your use case?
> Yes, I think it is reasonable. As you say in the scenario with
> intermediate CAs, the verification flags would be for multiple
> verifications combined, and therefore still lack some information. I
> think it is fine if it is documented that:
> a) the verification procedure stops if a failure has been found with one
> certificate in the chain.
> b) in that case all issues with that particular certificate are
> reported.
> c) the verification order starts from CA->CA1, then CA1->CA2, ..., then
> d) if people need to know more details, they should run the verification
> for each certificate in the chain individually.

I've applied the patch as well some documentation in master. The plan
is to be included in the 3.4.0 branch.


More information about the Gnutls-devel mailing list