[gnutls-help] Decoding the status parameter in gnutls_certificate_verify_peers2

[Wouter Verhelst]

On Mon, Apr 24, 2017 at 01:29:05PM +0200, Nikos Mavrogiannopoulos wrote:
> On Sun, Apr 23, 2017 at 8:51 PM, Wouter Verhelst <w at uter.be> wrote:
> > Hi,
> >
> > gnutls_certificate_verify_peers2 is documented to have two parameters; a
> > gnutls_session_t and an unsigned int *status. The info page has these
> > two things to say about that status parameter:
> >
> >     STATUS: is the output of the verification
> >
> > and
> >
> >    *Returns:* 'GNUTLS_E_SUCCESS' (0) when the validation is performed,
> >     or a negative error code otherwise.  A sucessful error code means
> >     that the 'status' parameter must be checked to obtain the
> >     validation status.
> >
> > Unfortunately, it does not explain *how* one must check the "status"
> > parameter. I originally believed that the contents of the "status"
> > parameter should be 0, but now suddenly my test suite starts to fail
> > because status has changed to something else, and I can't figure out
> > what it means.
> 
> In my system with gnutls 3.5.11 the manpage mentions:
> "This  function  will verify the peer's certificate and store the
> status in the  status variable
>  as a bitwise or'd gnutls_certificate_status_t values or zero if  the
> certificate  is  trusted."
> 
> Does this answer your question?

It does, thank you. Of course, it does not explain why the info page
does not document this -- should I open a bug report for that?

(in case you were wondering, it turned out the test suite's certificate,
which is committed into the repository to avoid having to generate a new
one every time the test suite runs, has now expired; I simply need to
generate a new one)

Thanks,

-- 
< ron> I mean, the main *practical* problem with C++, is there's like a dozen
       people in the world who think they really understand all of its rules,
       and pretty much all of them are just lying to themselves too.
 -- #debian-devel, OFTC, 2016-02-12