diff options
author | Nikos Mavrogiannopoulos <nmav@gnutls.org> | 2014-04-08 18:42:01 +0200 |
---|---|---|
committer | Nikos Mavrogiannopoulos <nmav@gnutls.org> | 2014-04-08 19:35:38 +0200 |
commit | f7ad44f1b587e057070f57ceee521b8eecf060db (patch) | |
tree | d2df86bf2d5d299d3999807233ae10b24b7fbc8c /doc | |
parent | b3ee1e5c22480ae5eb3fde8e4341576de396644e (diff) | |
download | gnutls-f7ad44f1b587e057070f57ceee521b8eecf060db.tar.gz |
Added gnutls_certificate_verify_peers4 which will verify in addition to hostname, the purpose of the end-certificate.
Diffstat (limited to 'doc')
-rw-r--r-- | doc/cha-cert-auth.texi | 9 | ||||
-rw-r--r-- | doc/cha-cert-auth2.texi | 2 | ||||
-rw-r--r-- | doc/examples/ex-client-x509.c | 4 | ||||
-rw-r--r-- | doc/examples/verify.c | 4 |
4 files changed, 13 insertions, 6 deletions
diff --git a/doc/cha-cert-auth.texi b/doc/cha-cert-auth.texi index fcd089cb88..dfd4f8c9ec 100644 --- a/doc/cha-cert-auth.texi +++ b/doc/cha-cert-auth.texi @@ -349,10 +349,13 @@ When operating in the context of a TLS session, the trusted certificate authority list may also be set using: @showfuncC{gnutls_certificate_set_x509_trust_file,gnutls_certificate_set_x509_crl_file,gnutls_certificate_set_x509_system_trust} -Then it is not required to setup a trusted list as above. -The function @funcref{gnutls_certificate_verify_peers3} -may then be used to verify the peer's certificate chain and identity. The flags +In that case it is not required to setup a trusted list as above, and +the function @funcref{gnutls_certificate_verify_peers3} +may be used to verify the peer's certificate chain and identity. The flags are set similarly to the verification functions in the previous section. +Note that in certain cases it is required to check the marked purpose of +the end certificate (e.g. @code{GNUTLS_KP_TLS_WWW_SERVER}); in these case +@funcref{gnutls_certificate_verify_peers4} should be used instead. There is also the possibility to pass some input to the verification functions in the form of flags. For @funcref{gnutls_x509_trust_list_verify_crt} the diff --git a/doc/cha-cert-auth2.texi b/doc/cha-cert-auth2.texi index 0cd328240e..a6482a8a4c 100644 --- a/doc/cha-cert-auth2.texi +++ b/doc/cha-cert-auth2.texi @@ -154,7 +154,7 @@ in a CRL and/or perform an OCSP check for the certificate. Note that in the context of a TLS session the server may provide an OCSP response that will used during the TLS certificate verification -(see @funcref{gnutls_certificate_verify_peers3}). +(see @funcref{gnutls_certificate_verify_peers2}). You may obtain this response using @funcref{gnutls_ocsp_status_request_get}. Before performing the OCSP query, the application will need to figure diff --git a/doc/examples/ex-client-x509.c b/doc/examples/ex-client-x509.c index df96444f9f..dc6b2985e0 100644 --- a/doc/examples/ex-client-x509.c +++ b/doc/examples/ex-client-x509.c @@ -158,7 +158,9 @@ static int _verify_certificate_callback(gnutls_session_t session) /* This verification function uses the trusted CAs in the credentials * structure. So you must have installed one or more CA certificates. */ - ret = gnutls_certificate_verify_peers3(session, hostname, &status); + ret = gnutls_certificate_verify_peers4(session, hostname, + GNUTLS_KP_TLS_WWW_SERVER, + &status); if (ret < 0) { printf("Error\n"); return GNUTLS_E_CERTIFICATE_ERROR; diff --git a/doc/examples/verify.c b/doc/examples/verify.c index 4d0d059ea6..86d35808fc 100644 --- a/doc/examples/verify.c +++ b/doc/examples/verify.c @@ -23,7 +23,9 @@ int verify_certificate_callback(gnutls_session_t session) /* This verification function uses the trusted CAs in the credentials * structure. So you must have installed one or more CA certificates. */ - ret = gnutls_certificate_verify_peers3(session, hostname, &status); + ret = gnutls_certificate_verify_peers4(session, hostname, + GNUTLS_KP_TLS_WWW_SERVER, + &status); if (ret < 0) { printf("Error\n"); return GNUTLS_E_CERTIFICATE_ERROR; |