[gnutls-help] Decoding the status parameter in gnutls_certificate_verify_peers2

Andreas Metzler ametzler at bebt.de
Mon Apr 24 19:26:24 CEST 2017

On 2017-04-24 Wouter Verhelst <w at uter.be> wrote:
> On Mon, Apr 24, 2017 at 01:29:05PM +0200, Nikos Mavrogiannopoulos wrote:
> > Does this answer your question?

> It does, thank you. Of course, it does not explain why the info page
> does not document this -- should I open a bug report for that?


what version of GnuTLS are you using? I have just checked Debian's
gnutls-doc package version 3.5.8-5 and the info documentation seems to
be complete:
| -- Function: int gnutls_certificate_verify_peers2 (gnutls_session_t
|          SESSION, unsigned int * STATUS)
|     SESSION: is a gnutls session
|     STATUS: is the output of the verification
|     This function will verify the peer's certificate and store the
|     status in the 'status' variable as a bitwise or'd
|     gnutls_certificate_status_t values or zero if the certificate is
|     trusted.  Note that value in 'status' is set only when the return
|     value of this function is success (i.e, failure to trust a
|     certificate does not imply a negative return value).  The default
|     verification flags used by this function can be overridden using
|     'gnutls_certificate_set_verify_flags()' .
|     This function will take into account the OCSP Certificate Status
|     TLS extension, as well as the following X.509 certificate
|     extensions: Name Constraints, Key Usage, and Basic Constraints
|     (pathlen).
|     To avoid denial of service attacks some default upper limits
|     regarding the certificate key size and chain size are set.  To
|     override them use 'gnutls_certificate_set_verify_limits()' .
|     Note that you must also check the peer's name in order to check if
|     the verified certificate belongs to the actual peer, see
|     'gnutls_x509_crt_check_hostname()' , or use
|     'gnutls_certificate_verify_peers3()' .
|     *Returns:* 'GNUTLS_E_SUCCESS' (0) when the validation is performed,
|     or a negative error code otherwise.  A sucessful error code means
|     that the 'status' parameter must be checked to obtain the
|     validation status.

cu Andreas
`What a good friend you are to him, Dr. Maturin. His other friends are
so grateful to you.'
`I sew his ears on from time to time, sure'

More information about the Gnutls-help mailing list