Re: trusted intermediate CAs

gnutls-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: trusted intermediate CAs

From:	Nikos Mavrogiannopoulos
Subject:	Re: trusted intermediate CAs
Date:	Thu, 13 Nov 2008 17:31:41 +0200

On Thu, Nov 13, 2008 at 1:27 AM, Daniel Kahn Gillmor
<address@hidden> wrote:
>> the library doesn't export any high level verification function to
>> verify certificate chains.
>
> What about gnutls_x509_crt_list_verify() and
> gnutls_certificate_verify_peers2() ?  The latter is used in src/srv.c
> and srv/cli.c, and i think it calls the former under the hood (using
> data from the TLS session to fill in the specific parameters).
>
> Those seem like high-level functions to verify certificate chains to
> me.  Did you mean something else?

No. But they are not high level functions. There are no hooks to print
any useful
information like certtool is printing for each verification.

> I think it would be really useful to have certtool reflect the
> internal workings of GnuTLS as closely as possible, not least for the
> sake of providing tools to help admins who are trying to debug/test
> GnuTLS-based applications.

I agree. We can add it as a todo item.

regards,
Nikos

[Prev in Thread]

Current Thread

[Next in Thread]

supporting out-of-process certificate validation [was: Re: The _gnutls_x509_verify_certificate fix], (continued)

Prev by Date: Re: trusted intermediate CAs
Next by Date: Re: More intelligent path finding
Previous by thread: Re: trusted intermediate CAs
Next by thread: Analysis of vulnerability GNUTLS-SA-2008-3 CVE-2008-4989
Index(es):
- Date
- Thread