On Wednesday 24 August 2005 12:15, Simon Josefsson wrote: [...] > > The key difference turns out to be: > > gnutls_certificate_set_verify_flags(cred, > > GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT); [...] > * Note that some commonly used X.509 Certificate Authorities are > * still using Version 1 certificates. If you want to accept them, > * you need to call gnutls_certificate_set_verify_flags() with, e.g., > * %GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT parameter.
Indeed, without this flag most of the old (really old) root certificates won't work. (it's funny that some of them even use md2!). > I fixed all reference to gnutls_certificate_verify_peers in the > documentation that I could find. If you find any remaining > occurrences, let me know. I also made the old function documented in > GTK-DOC again, but with a reference to the new function. I fixed > gnutls-cli too. > Frankly, I'm not sure why gnutls_certificate_verify_peers is > deprecated. The return values are negative for "real" errors, zero > for success and positive for "soft" verification errors. Nikos? The problem is that it very easy for this function to be misused. I didn't want to mix negative numbers and bit checking, that why I deprecated it. (and since it is deprecated it shouldn't be documented since it may be removed in future versions). -- Nikos Mavrogiannopoulos _______________________________________________ Help-gnutls mailing list [email protected] http://lists.gnu.org/mailman/listinfo/help-gnutls
