Checking CA expiration

Nikos Mavrogiannopoulos nmav at
Thu Oct 20 09:34:07 CEST 2011

On 10/19/2011 08:30 PM, Michael Welsh Duggan wrote:
> In our code, we add CAs to our credentials using
> gnutls_set_x509_trust_file.  In gnutls 2.x, we then get a list of the
> CAs using gnutls_certificate_get_x509_cas which we then use to verify
> that at least one of the CAs has not yet expired.  We want to do this
> _before_ initiating a session.
> Is this possible in gnutls 3.x?  gnutls_certificate_get_x509_cas has
> gone away, supposedly in favor of gnutls_certificate_get_issuer(), but
> that requires an existing session.

Why not use gnutls_x509_crt_list_import() or 
gnutls_x509_crt_list_import2() and traverse the list of the CAs? The 
access to the the CA list in the credentials structure has been 
restricted to allow for future internal changes.


More information about the Gnutls-help mailing list