[Help-gnutls] Re: CRLs and gnutls_certificate_set_x509_crl_file
Nikos Mavrogiannopoulos
nmav at gnutls.org
Thu May 11 21:50:26 CEST 2006
On Thu 11 May 2006 21:22, Simon Josefsson wrote:
> > The documentation implies that the CRL should be verified
> > beforehand, but I'm not sure what this means. I know for sure that
> > it does not check dates; does it check the CRL's signature against
> > the loaded root CA cert?
>
> No, I don't think so. You'll have to verify that beforehand. This
> should probably be fixed, patches welcome.
Indeed. However the idea is to check the CRL on reception and not
every time it is used. That's why it is not done in that function.
> > If not, does the API provide a way to extract the loaded CRL from
> > the credentials structure and do the checking?
> Hm, I can't find any API for that. Nikos?
No there isn't, but why extract the loaded CRL, and not verify it
before you load it? (with the gnutls_x509_crl_* functions)
regards,
Nikos
More information about the Gnutls-help
mailing list