diff options
author | Nikos Mavrogiannopoulos <nmav@gnutls.org> | 2012-02-10 10:35:29 +0100 |
---|---|---|
committer | Nikos Mavrogiannopoulos <nmav@gnutls.org> | 2012-02-10 10:35:29 +0100 |
commit | 309f04b111bcb507f6abed9669185fe1de66787f (patch) | |
tree | c01bc96bb95aa77e2bca46bfae87e314e33c050b /doc | |
parent | 2fe123a63342125ac101df5ce5ab978dc5e3ed36 (diff) | |
download | gnutls-309f04b111bcb507f6abed9669185fe1de66787f.tar.gz |
Removed the application field and added an expiration field.
Diffstat (limited to 'doc')
-rw-r--r-- | doc/cha-cert-auth.texi | 13 | ||||
-rw-r--r-- | doc/cha-gtls-examples.texi | 5 | ||||
-rw-r--r-- | doc/examples/ex-verify-ssh.c | 8 |
3 files changed, 15 insertions, 11 deletions
diff --git a/doc/cha-cert-auth.texi b/doc/cha-cert-auth.texi index 7fb41a60dd..a2656ad94d 100644 --- a/doc/cha-cert-auth.texi +++ b/doc/cha-cert-auth.texi @@ -87,7 +87,7 @@ acceptable. The framework is illustrated on @ref{fig:x509}. * X.509 distinguished names:: * Verifying X.509 certificate paths:: * Verifying a certificate in the context of TLS session:: -* Verifying a certificate using SSH-style authentication:: +* Verifying a certificate using trust on first use authentication:: @end menu @node X.509 certificate structure @@ -277,15 +277,16 @@ about the peer's identity. It is required to verify if the certificate's owner is the one you expect. For more information consult @xcite{RFC2818} and section @ref{ex:verify} for an example. -@node Verifying a certificate using SSH-style authentication -@subsection Verifying a certificate using SSH-style authentication +@node Verifying a certificate using trust on first use authentication +@subsection Verifying a certificate using trust on first use authentication @cindex verifying certificate paths @cindex SSH-style authentication +@cindex Trust on first use @tindex gnutls_certificate_verify_flags -It is possible to use an SSH-style authentication method in GnuTLS. -That means that having seen and associated a public key with a host -is enough to trust it on the subsequent connections. +It is possible to use a trust on first use (similar to SSH) authentication +method in GnuTLS. That means that having seen and associated a public key +with a host is enough to trust it on the subsequent connections. A hybrid system with X.509 and SSH authentication is shown in @ref{Simple client example with SSH-style certificate verification}. diff --git a/doc/cha-gtls-examples.texi b/doc/cha-gtls-examples.texi index 9d253a0045..637653c46a 100644 --- a/doc/cha-gtls-examples.texi +++ b/doc/cha-gtls-examples.texi @@ -70,8 +70,9 @@ resumption. This is an alternative verification function that will use the X.509 certificate authorities for verification, but also assume an -SSH-like authentication system. That is the user is prompted on unknown -public keys and known public keys are considered trusted. +trust on first use (SSH-like) authentication system. That is the user is +prompted on unknown public keys and known public keys are considered +trusted. @verbatiminclude examples/ex-verify-ssh.c diff --git a/doc/examples/ex-verify-ssh.c b/doc/examples/ex-verify-ssh.c index c9a66b27bc..fb211c5746 100644 --- a/doc/examples/ex-verify-ssh.c +++ b/doc/examples/ex-verify-ssh.c @@ -92,8 +92,10 @@ _ssh_verify_certificate_callback (gnutls_session_t session) gnutls_x509_crt_deinit (cert); - ret = gnutls_verify_stored_pubkey(NULL, NULL, hostname, "443", - GNUTLS_CRT_X509, &cert_list[0], 0); + /* service may be obtained alternatively using getservbyport() */ + ret = gnutls_verify_stored_pubkey(NULL, hostname, "https", + GNUTLS_CRT_X509, &cert_list[0], + 0, 0); if (ret == GNUTLS_E_NO_CERTIFICATE_FOUND) { fprintf(stderr, "Host %s is not known.", hostname); @@ -128,7 +130,7 @@ _ssh_verify_certificate_callback (gnutls_session_t session) /* user trusts the key -> store it */ if (ret != 0) { - ret = gnutls_store_pubkey(NULL, NULL, hostname, "443", GNUTLS_CRT_X509, &cert_list[0], 0); + ret = gnutls_store_pubkey(NULL, hostname, "https", GNUTLS_CRT_X509, &cert_list[0], 0); if (ret < 0) fprintf(stderr, "gnutls_store_pubkey: %s\n", gnutls_strerror(ret)); } |