[gnutls-devel] simplifying certificate verification

Nikos Mavrogiannopoulos nmav at gnutls.org
Fri Sep 11 15:39:04 CEST 2015


On Tue, Sep 8, 2015 at 4:21 PM, Ted Zlatanov <tzz at lifelogs.com> wrote:
> NM> One the pains in using gnutls is the fact that there is needed quite
> NM> some copy-paste code to perform certificate verification. I decided to
> NM> simplify that from 3.5.0, using a function called
> NM> gnutls_session_auto_verify_cert(), and the result can be seen on the
> NM> following example
> ...
> NM> I'd appreciate any comments or suggestions for improving that interface [0].
> NM> [0]. https://gitlab.com/gnutls/gnutls/blob/master/lib/includes/gnutls/gnutls.h.in#L1296
>
> To me it looks nice and usable. Are there reasons not to use it (other
> than backwards compatibility)?

None that I can think of, if you use X.509 certificates.

>  Any logging gotchas for the users (since
> the logging will change from their point of view if a GnuTLS upgrade
> triggers the use of gnutls_session_auto_verify_cert())?

I introduced a new error code to be returned by gnutls_handshake() on failure.



More information about the Gnutls-devel mailing list