gnutls-devel
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH] add gnutls_certificate_find_issuer

From: Nikos Mavrogiannopoulos
Subject: Re: [PATCH] add gnutls_certificate_find_issuer
Date: Wed, 20 Feb 2008 14:52:54 +0200 
On Feb 19, 2008 11:33 PM, Joe Orton <address@hidden> wrote:

> When an SSL handshake takes place and a server cert cannot be verified
> for some reason (commonName mismatch, for example), the neon API then
> needs to expose the whole server cert chain to the application, so that
> it can be presented to a user for manual verification.
>
> gnutls_certificate_get_peers() will not necessarily return that whole
> chain, so neon needs some way to recreate the chain based on the
> configured set of trusted certs.  That is what
> gnutls_certificate_find_issuer() is for.
> Does that make sense?
> With respect to exposing structure contents directly, I would generally
> advocate exposing functions instead where possible, since structures
> bring restrictive ABI constraints.

Indeed but I'm thinking that someone might do more than check a single
issuer. He might want to print the whole imported list. In that case
I'd use something like gnutls_certificate_export_x509_cas() that will
return the whole list of issuers, and your check can be done at the
application level. Would something like this suit you?

regards,
Nikos
reply via email to
[Prev in Thread] Current Thread [Next in Thread]