|
From: | Nikos Mavrogiannopoulos |
Subject: | Re: Checking CA expiration |
Date: | Thu, 20 Oct 2011 09:34:07 +0200 |
User-agent: | Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.21) Gecko/20110831 Icedove/3.1.13 |
On 10/19/2011 08:30 PM, Michael Welsh Duggan wrote:
In our code, we add CAs to our credentials using gnutls_set_x509_trust_file. In gnutls 2.x, we then get a list of the CAs using gnutls_certificate_get_x509_cas which we then use to verify that at least one of the CAs has not yet expired. We want to do this _before_ initiating a session. Is this possible in gnutls 3.x? gnutls_certificate_get_x509_cas has gone away, supposedly in favor of gnutls_certificate_get_issuer(), but that requires an existing session.
Why not use gnutls_x509_crt_list_import() or gnutls_x509_crt_list_import2() and traverse the list of the CAs? The access to the the CA list in the credentials structure has been restricted to allow for future internal changes.
regards, Nikos
[Prev in Thread] | Current Thread | [Next in Thread] |