[Help-gnutls] Re: CA cert verification

[Simon Josefsson]

Daniel Stenberg <address@hidden> writes:

> On Wed, 24 Aug 2005, Simon Josefsson wrote:
>
>> address@hidden:~$ gnutls-cli --x509cafile
>> /usr/share/curl/curl-ca-bundle.crt gmail.google.com
>
> The key difference turns out to be:
>
>   gnutls_certificate_set_verify_flags(cred,
>                                     GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT);
>
> Which gnutls-cli sets and I didn't. When I use this, I can
> successfully verify this server's certificate!
>
> Perhaps the gnutls_certificate_verify_peers2() description in the docs could 
> hint about the possibility that this is needed?

Good idea, I added:

  * Note that some commonly used X.509 Certificate Authorities are
  * still using Version 1 certificates.  If you want to accept them,
  * you need to call gnutls_certificate_set_verify_flags() with, e.g.,
  * %GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT parameter.

> Another little nit that is slightly related:
>
> gnutls-cli uses the gnutls_certificate_verify_peers() function
> (alias, not the *2 version), there are numerous references to this
> function in the docs but there's no description for it... I take it
> the gnutls_certificate_verify_peers2() is the one we should be
> using, but it would probably be suitable if gnutls-cli was switched
> to use it and if the references in the docs were updated as well.

I fixed all reference to gnutls_certificate_verify_peers in the
documentation that I could find.  If you find any remaining
occurrences, let me know.  I also made the old function documented in
GTK-DOC again, but with a reference to the new function.  I fixed
gnutls-cli too.

Frankly, I'm not sure why gnutls_certificate_verify_peers is
deprecated.  The return values are negative for "real" errors, zero
for success and positive for "soft" verification errors.  Nikos?

Thanks,
Simon