| [ << ] | [ < ] | [ Up ] | [ > ] | [ >> ] | [Top] | [Contents] | [Index] | [ ? ] |
4.1.1.6 Verifying a certificate in the context of TLS session
When operating in the context of a TLS session, the trusted certificate authority list may also be set using:
int gnutls_certificate_set_x509_trust_file (gnutls_certificate_credentials_t cred, const char * cafile, gnutls_x509_crt_fmt_t type)int gnutls_certificate_set_x509_crl_file (gnutls_certificate_credentials_t res, const char * crlfile, gnutls_x509_crt_fmt_t type)int gnutls_certificate_set_x509_system_trust (gnutls_certificate_credentials_t cred)
Then it is not required to setup a trusted list as above. The function gnutls_certificate_verify_peers3 may then be used to verify the peer’s certificate chain and identity. The flags are set similarly to the verification functions in the previous section.
There is also the possibility to pass some input to the verification
functions in the form of flags. For gnutls_x509_trust_list_verify_crt the
flags are passed straightforward, but
gnutls_certificate_verify_peers3 depends on the flags set by
calling gnutls_certificate_set_verify_flags. All the available
flags are part of the enumeration
gnutls_certificate_verify_flags shown in Figure 4.3.
GNUTLS_VERIFY_DISABLE_CA_SIGNIf set a signer does not have to be a certificate authority. This flag should normally be disabled, unless you know what this means.
GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRTAllow trusted CA certificates with version 1. This is safer than
GNUTLS_VERIFY_ALLOW_ANY_X509_V1_CA_CRT, and should be used instead. That way only signers in your trusted list will be allowed to have certificates of version 1. This is the default.GNUTLS_VERIFY_DO_NOT_ALLOW_SAMEIf a certificate is not signed by anyone trusted but exists in the trusted CA list do not treat it as trusted.
GNUTLS_VERIFY_ALLOW_ANY_X509_V1_CA_CRTAllow CA certificates that have version 1 (both root and intermediate). This might be dangerous since those haven’t the basicConstraints extension. Must be used in combination with
GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT.GNUTLS_VERIFY_ALLOW_SIGN_RSA_MD2Allow certificates to be signed using the broken MD2 algorithm.
GNUTLS_VERIFY_ALLOW_SIGN_RSA_MD5Allow certificates to be signed using the broken MD5 algorithm.
GNUTLS_VERIFY_DISABLE_TIME_CHECKSDisable checking of activation and expiration validity periods of certificate chains. Don’t set this unless you understand the security implications.
GNUTLS_VERIFY_DISABLE_TRUSTED_TIME_CHECKSIf set a signer in the trusted list is never checked for expiration or activation.
GNUTLS_VERIFY_DO_NOT_ALLOW_X509_V1_CA_CRTDo not allow trusted CA certificates that have version 1. This option is to be used to deprecate all certificates of version 1.
GNUTLS_VERIFY_DISABLE_CRL_CHECKSDisable checking for validity using certificate revocation lists or the available OCSP data.
GNUTLS_VERIFY_ALLOW_UNSORTED_CHAINA certificate chain is tolerated if unsorted (the case with many TLS servers out there). This is the default since GnuTLS 3.1.4.
GNUTLS_VERIFY_DO_NOT_ALLOW_UNSORTED_CHAINDo not tolerate an unsorted certificate chain.
Figure 4.3: The gnutls_certificate_verify_flags enumeration.
| [ << ] | [ < ] | [ Up ] | [ > ] | [ >> ] | [Top] | [Contents] | [Index] | [ ? ] |
This document was generated on February 9, 2014 using texi2html 5.0.