[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Help-gnutls] Re: CRLs and gnutls_certificate_set_x509_crl_file
From: |
Simon Josefsson |
Subject: |
[Help-gnutls] Re: CRLs and gnutls_certificate_set_x509_crl_file |
Date: |
Thu, 11 May 2006 21:22:43 +0200 |
User-agent: |
Gnus/5.110006 (No Gnus v0.6) Emacs/22.0.50 (gnu/linux) |
Rich Fought <address@hidden> writes:
> Does the function
>
> gnutls_certificate_set_x509_crl_file
>
> do any sort of checking whatsoever on the CRL file?
It reads the file and DER decode the data.
> The documentation implies that the CRL should be verified
> beforehand, but I'm not sure what this means. I know for sure that
> it does not check dates; does it check the CRL's signature against
> the loaded root CA cert?
No, I don't think so. You'll have to verify that beforehand. This
should probably be fixed, patches welcome.
> If not, does the API provide a way to extract the loaded CRL from the
> credentials structure and do the checking?
Hm, I can't find any API for that. Nikos?
> Or is a separate deal?
gnutls_certificate_verify_peers2 do check certificates against the CRL
though.
/Simon
- [Help-gnutls] Re: CRLs and gnutls_certificate_set_x509_crl_file,
Simon Josefsson <=