Daniel Stenberg <[EMAIL PROTECTED]> writes: > On Wed, 24 Aug 2005, Simon Josefsson wrote: > >> [EMAIL PROTECTED]:~$ gnutls-cli --x509cafile >> /usr/share/curl/curl-ca-bundle.crt gmail.google.com > > The key difference turns out to be: > > gnutls_certificate_set_verify_flags(cred, > GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT); > > Which gnutls-cli sets and I didn't. When I use this, I can > successfully verify this server's certificate! > > Perhaps the gnutls_certificate_verify_peers2() description in the docs could > hint about the possibility that this is needed?
Good idea, I added: * Note that some commonly used X.509 Certificate Authorities are * still using Version 1 certificates. If you want to accept them, * you need to call gnutls_certificate_set_verify_flags() with, e.g., * %GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT parameter. > Another little nit that is slightly related: > > gnutls-cli uses the gnutls_certificate_verify_peers() function > (alias, not the *2 version), there are numerous references to this > function in the docs but there's no description for it... I take it > the gnutls_certificate_verify_peers2() is the one we should be > using, but it would probably be suitable if gnutls-cli was switched > to use it and if the references in the docs were updated as well. I fixed all reference to gnutls_certificate_verify_peers in the documentation that I could find. If you find any remaining occurrences, let me know. I also made the old function documented in GTK-DOC again, but with a reference to the new function. I fixed gnutls-cli too. Frankly, I'm not sure why gnutls_certificate_verify_peers is deprecated. The return values are negative for "real" errors, zero for success and positive for "soft" verification errors. Nikos? Thanks, Simon _______________________________________________ Help-gnutls mailing list [email protected] http://lists.gnu.org/mailman/listinfo/help-gnutls
