[Help-gnutls] Re: gnutls_x509_crt_set_version documentation suggestion
simon at josefsson.org
Thu Mar 15 12:29:58 CET 2007
Florian Weimer <fweimer at bfk.de> writes:
> It might be a good idea to add the following information to the
> documentation for gnutls_x509_crt_set_version:
> To create well-formed certificates, you must specify version 3 if
> you use any certificate extensions. Extensions are created by
> functions such as gnutls_x509_crt_set_subject_alternative_name or
> (I don't know if GNUTLS supports the v2 extensions.)
I'm not familiar with v2 certificates... It might be possible to
create them using the GnuTLS API's.
> GNUTLS doesn't check if a v1 certificate contains any extensions, but
> other X.509 implementations do.
I've added checking this to the TODO list:
- Chain verifications.
- Reject extensions in v1 certificates.
More information about the Gnutls-help