[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[gnutls-dev] Re: gnutls_certificate_verify_peers2() does not handle expi
[gnutls-dev] Re: gnutls_certificate_verify_peers2() does not handle expirations
Fri, 03 Jun 2005 17:33:26 +0200
Gnus/5.110004 (No Gnus v0.4) Emacs/22.0.50 (gnu/linux)
Rupert Kittinger <address@hidden> writes:
> On Fri, 3 Jun 2005, Simon Josefsson wrote:
>> Rupert Kittinger <address@hidden> writes:
>> > Hi everybody,
>> > I think the x509 certificate check performed by
>> > gnutls_certificate_verify_peers2() is not sufficient, because it does not
>> > validate the various time constraints (activation/expiration of
>> > certificates, CAs, CRLs).
>> Right. That is intentional, even if it is unfortunate.
>> Did you see the example in section 7.3.4 of the manual? It try to do
>> a bit more. Full verification of a certificate is application and
>> purpose dependent, so it is difficult to generalize.
> I am quite aware of this. However, a lot of users of a library like
> this will not have detailed knowledge of X509 (and all its incarnations,
> sigh) and would profit from a "better safe than sorry" approach. Also, a
> detailed description of the algorithm used in the manual would be a great,
> if only for its educational value :-)
Right, and I agree. It would be useful to have the algorithm in the
gnutls_certificate_verify_peers3 function documentation; then it would
end up in the manual, and would be easy to validate against the source
> I hope I find the time to do this. Maybe some other people reading this
> list care to provide feedback on an improved certificate validation
I hope so too. As for implementation, taking what's in the 7.3.4
example and making a GnuTLS API function of it should be a good start.
The details in the algorithm can be enhanced further on.