Re: [gnutls-dev] Problem with gnutls_certificate_verify_peers2()

[Simon Josefsson]

Victor Stinner <address@hidden> writes:

> I'm still not sure that it's a bug but looks to be a problem in the 
> documentation.
> -----
>    int gnutls_certificate_verify_peers2(
>        gnutls_session_t session, unsigned int * status); 
>
> ARGUMENTS 
>    gnutls_session_t session is a gnutls session 
>    unsigned int * status is the output of the verification
>
> DESCRIPTION 
>    This function will try to verify the peer's certificate and return its
>    status (trusted, invalid etc.). (...)
>    Returns a negative error code on error and zero on success. 
> -----
>
> What is "a success" in this case? In my mind, success means that the 
> certificate is valid but it looks like I'm wrong.

A "success" is that the verification operation worked correctly, but the
_status_ of that successful verification (which can be failure) is
reported through the status output parameter.

Frankly, I find the old gnutls_certificate_verify_peers() function more
logical, but Nikos wanted to deprecated it in favor
gnutls_certificate_verify_peers2().  The use of a bitmap'ed status type
like gnutls_certificate_status_t may be problematic though (limit us to
32 different kind of failures).

Suggestions on how to improve the documentation would be appreciated.

Ideally, all the X.509 stuff should be moved to a different library.
GnuTLS's current certificate verifier fails on some chains, see the
PKITS self-tests:

http://www.mail-archive.com/address@hidden/msg00581.html

/Simon