|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
@deftypefun {int} {gnutls_certificate_verify_peers2} (gnutls_session_t @var{session}, unsigned int * @var{status})
|
|
Packit Service |
4684c1 |
@var{session}: is a gnutls session
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
@var{status}: is the output of the verification
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
This function will verify the peer's certificate and store
|
|
Packit Service |
4684c1 |
the status in the @code{status} variable as a bitwise OR of gnutls_certificate_status_t
|
|
Packit Service |
4684c1 |
values or zero if the certificate is trusted. Note that value in @code{status} is set only when the return value of this function is success (i.e, failure
|
|
Packit Service |
4684c1 |
to trust a certificate does not imply a negative return value).
|
|
Packit Service |
4684c1 |
The default verification flags used by this function can be overridden
|
|
Packit Service |
4684c1 |
using @code{gnutls_certificate_set_verify_flags()} .
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
This function will take into account the stapled OCSP responses sent by the server,
|
|
Packit Service |
4684c1 |
as well as the following X.509 certificate extensions: Name Constraints,
|
|
Packit Service |
4684c1 |
Key Usage, and Basic Constraints (pathlen).
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
Note that you must also check the peer's name in order to check if
|
|
Packit Service |
4684c1 |
the verified certificate belongs to the actual peer, see @code{gnutls_x509_crt_check_hostname()} ,
|
|
Packit Service |
4684c1 |
or use @code{gnutls_certificate_verify_peers3()} .
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
To avoid denial of service attacks some
|
|
Packit Service |
4684c1 |
default upper limits regarding the certificate key size and chain
|
|
Packit Service |
4684c1 |
size are set. To override them use @code{gnutls_certificate_set_verify_limits()} .
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
Note that when using raw public-keys verification will not work because there is
|
|
Packit Service |
4684c1 |
no corresponding certificate body belonging to the raw key that can be verified. In that
|
|
Packit Service |
4684c1 |
case this function will return @code{GNUTLS_E_INVALID_REQUEST} .
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
@strong{Returns:} @code{GNUTLS_E_SUCCESS} (0) when the validation is performed, or a negative error code otherwise.
|
|
Packit Service |
4684c1 |
A successful error code means that the @code{status} parameter must be checked to obtain the validation status.
|
|
Packit Service |
4684c1 |
@end deftypefun
|