[Help-gnutls] Re: CA cert verification
nmav at gnutls.org
Wed Aug 24 19:41:24 CEST 2005
On Wednesday 24 August 2005 12:15, Simon Josefsson wrote:
> > The key difference turns out to be:
> > gnutls_certificate_set_verify_flags(cred,
> > GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT);
> * Note that some commonly used X.509 Certificate Authorities are
> * still using Version 1 certificates. If you want to accept them,
> * you need to call gnutls_certificate_set_verify_flags() with, e.g.,
> * %GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT parameter.
Indeed, without this flag most of the old (really old) root certificates won't
work. (it's funny that some of them even use md2!).
> I fixed all reference to gnutls_certificate_verify_peers in the
> documentation that I could find. If you find any remaining
> occurrences, let me know. I also made the old function documented in
> GTK-DOC again, but with a reference to the new function. I fixed
> gnutls-cli too.
> Frankly, I'm not sure why gnutls_certificate_verify_peers is
> deprecated. The return values are negative for "real" errors, zero
> for success and positive for "soft" verification errors. Nikos?
The problem is that it very easy for this function to be misused.
I didn't want to mix negative numbers and bit checking, that why I deprecated
it. (and since it is deprecated it shouldn't be documented since it may be
removed in future versions).
More information about the Gnutls-help