[Help-gnutls] Re: CRLs and gnutls_certificate_set_x509_crl_file
Simon Josefsson
jas at extundo.com
Thu May 11 21:22:43 CEST 2006
Rich Fought <whatever at fsrz.net> writes:
> Does the function
>
> gnutls_certificate_set_x509_crl_file
>
> do any sort of checking whatsoever on the CRL file?
It reads the file and DER decode the data.
> The documentation implies that the CRL should be verified
> beforehand, but I'm not sure what this means. I know for sure that
> it does not check dates; does it check the CRL's signature against
> the loaded root CA cert?
No, I don't think so. You'll have to verify that beforehand. This
should probably be fixed, patches welcome.
> If not, does the API provide a way to extract the loaded CRL from the
> credentials structure and do the checking?
Hm, I can't find any API for that. Nikos?
> Or is a separate deal?
gnutls_certificate_verify_peers2 do check certificates against the CRL
though.
/Simon
More information about the Gnutls-help
mailing list