manpagez: man pages & more
info gnutls
Home | html | info | man
[ << ] [ < ] [ Up ] [ > ] [ >> ]         [Top] [Contents] [Index] [ ? ]

4.2.3 Verifying a certificate in the context of TLS session

When operating in the context of a TLS session, the trusted certificate authority list has been set via the gnutls_certificate_set_x509_trust_file and gnutls_certificate_set_x509_crl_file, thus it is not required to setup a trusted list as above. Convenience functions such as gnutls_certificate_verify_peers2 are equivalent and will verify the peer’s certificate chain in a TLS session.

There is also the possibility to pass some input to the verification functions in the form of flags. For gnutls_x509_trust_list_verify_crt the flags are passed straightforward, but gnutls_certificate_verify_peers2 depends on the flags set by calling gnutls_certificate_set_verify_flags. All the available flags are part of the enumeration gnutls_certificate_verify_flags shown in Table 4.4.

  • GNUTLS_VERIFY_DISABLE_CA_SIGN If set a signer does not have to be a certificate authority. This flag should normaly be disabled, unless you know what this means.
  • GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT Allow trusted CA certificates with version 1. This is safer than GNUTLS_VERIFY_ALLOW_ANY_X509_V1_CA_CRT, and should be used instead. That way only signers in your trusted list will be allowed to have certificates of version 1. This is the default.
  • GNUTLS_VERIFY_DO_NOT_ALLOW_SAME If a certificate is not signed by anyone trusted but exists in the trusted CA list do not treat it as trusted.
  • GNUTLS_VERIFY_ALLOW_ANY_X509_V1_CA_CRT Allow CA certificates that have version 1 (both root and intermediate). This might be dangerous since those haven’t the basicConstraints extension. Must be used in combination with GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT.
  • GNUTLS_VERIFY_ALLOW_SIGN_RSA_MD2 Allow certificates to be signed using the broken MD2 algorithm.
  • GNUTLS_VERIFY_ALLOW_SIGN_RSA_MD5 Allow certificates to be signed using the broken MD5 algorithm.
  • GNUTLS_VERIFY_DISABLE_TIME_CHECKS Disable checking of activation and expiration validity periods of certificate chains. Don’t set this unless you understand the security implications.
  • GNUTLS_VERIFY_DISABLE_TRUSTED_TIME_CHECKS If set a signer in the trusted list is never checked for expiration or activation.
  • GNUTLS_VERIFY_DO_NOT_ALLOW_X509_V1_CA_CRT Do not allow trusted CA certificates that have version 1. This option is to be used to deprecate all certificates of version 1.
  • GNUTLS_VERIFY_DISABLE_CRL_CHECKS Disable checking for validity using certificate revocation lists.

Table 4.4

Although the verification of a certificate path indicates that the certificate is signed by trusted authority, does not reveal anything about the peer’s identity. It is required to verify if the certificate’s owner is the one you expect. For more information consult [RFC2818] and section ex:verify for an example.

[ << ] [ < ] [ Up ] [ > ] [ >> ]         [Top] [Contents] [Index] [ ? ]

This document was generated on January 4, 2012 using texi2html 5.0. 

© manpagez.com 2000-2025
Individual documents may contain additional copyright information.