Checking CA expiration
Nikos Mavrogiannopoulos
nmav at gnutls.org
Thu Oct 20 09:34:07 CEST 2011
On 10/19/2011 08:30 PM, Michael Welsh Duggan wrote:
> In our code, we add CAs to our credentials using
> gnutls_set_x509_trust_file. In gnutls 2.x, we then get a list of the
> CAs using gnutls_certificate_get_x509_cas which we then use to verify
> that at least one of the CAs has not yet expired. We want to do this
> _before_ initiating a session.
> Is this possible in gnutls 3.x? gnutls_certificate_get_x509_cas has
> gone away, supposedly in favor of gnutls_certificate_get_issuer(), but
> that requires an existing session.
Why not use gnutls_x509_crt_list_import() or
gnutls_x509_crt_list_import2() and traverse the list of the CAs? The
access to the the CA list in the credentials structure has been
restricted to allow for future internal changes.
regards,
Nikos
More information about the Gnutls-help
mailing list