On Thu 11 May 2006 21:22, Simon Josefsson wrote: > > The documentation implies that the CRL should be verified > > beforehand, but I'm not sure what this means. I know for sure that > > it does not check dates; does it check the CRL's signature against > > the loaded root CA cert? > > No, I don't think so. You'll have to verify that beforehand. This > should probably be fixed, patches welcome.
Indeed. However the idea is to check the CRL on reception and not every time it is used. That's why it is not done in that function. > > If not, does the API provide a way to extract the loaded CRL from > > the credentials structure and do the checking? > Hm, I can't find any API for that. Nikos? No there isn't, but why extract the loaded CRL, and not verify it before you load it? (with the gnutls_x509_crl_* functions) regards, Nikos _______________________________________________ Help-gnutls mailing list [email protected] http://lists.gnu.org/mailman/listinfo/help-gnutls
