[Help-gnutls] Re: CRLs and gnutls_certificate_set_x509_crl_file

Simon Josefsson jas at extundo.com
Thu May 11 21:22:43 CEST 2006

Rich Fought <whatever at fsrz.net> writes:

> Does the function
> gnutls_certificate_set_x509_crl_file
> do any sort of checking whatsoever on the CRL file?

It reads the file and DER decode the data.

> The documentation implies that the CRL should be verified
> beforehand, but I'm not sure what this means.  I know for sure that
> it does not check dates; does it check the CRL's signature against
> the loaded root CA cert?

No, I don't think so.  You'll have to verify that beforehand.  This
should probably be fixed, patches welcome.

> If not, does the API provide a way to extract the loaded CRL from the
> credentials structure and do the checking?

Hm, I can't find any API for that.  Nikos?

> Or is a separate deal?

gnutls_certificate_verify_peers2 do check certificates against the CRL


More information about the Gnutls-help mailing list