Checking CA expiration

Nikos Mavrogiannopoulos nmav at gnutls.org
Thu Oct 20 09:34:07 CEST 2011


On 10/19/2011 08:30 PM, Michael Welsh Duggan wrote:
> In our code, we add CAs to our credentials using
> gnutls_set_x509_trust_file.  In gnutls 2.x, we then get a list of the
> CAs using gnutls_certificate_get_x509_cas which we then use to verify
> that at least one of the CAs has not yet expired.  We want to do this
> _before_ initiating a session.
> Is this possible in gnutls 3.x?  gnutls_certificate_get_x509_cas has
> gone away, supposedly in favor of gnutls_certificate_get_issuer(), but
> that requires an existing session.

Why not use gnutls_x509_crt_list_import() or 
gnutls_x509_crt_list_import2() and traverse the list of the CAs? The 
access to the the CA list in the credentials structure has been 
restricted to allow for future internal changes.

regards,
Nikos




More information about the Gnutls-help mailing list