Michael Welsh Duggan <[email protected]> writes: > I work on a project where we have written a client and server that use > GnuTLS to communicate. Specifically, the client and server use > gnutls_certificate_set_x509_trust_file() to load a CA and > gnutls_certificate_set_x509_simple_pkcs12_file() to load a password > protected certificate/key pair. > > Recently we have had an experience attempting to communicate using > certificates that have expired. When using certs that have expired, > the call to gnutls_certificate_verify_peers2() will set the > GNUTLS_CERT_EXPIRED flag in the 'status' variable (assuming GnuTLS > 2.6.6 or later---thanks for adding this check). > > What we would rather have happen is that when the client or server > start, they check the expiration times on the certificates they read, > and exit if they find no valid certificates. This saves us from > attempting a connection that is going to be rejected because of the > expired certificates. > > Once we've loaded the CA into the gnutls_certificate_credentials_t > structure, we can use gnutls_certificate_get_x509_cas() to loop over > the CAs and check their activation and expiration times (using > gnutls_x509_crt_get_activation_time()). > > However, we don't see a way to do that with the certificate/key pair > that we load. gnutls_x509_crt_list_verify() looks close, however it > does not check the activation/expiration times, and we haven't found a > function that lets me get a certificate list from a > gnutls_certificate_credentials_t structure. > > Are we missing something? Are there other suggestions on how to perform > this check?
Doesn't gnutls_x509_crt_list_verify check times? If I read the code for gnutls_certificate_verify_peers2, it calls _gnutls_x509_cert_verify_peers which calls gnutls_x509_crt_list_verify. I can't find any time checks outside of that function. Note that the function trims trusted certificates from the list of certificates to check expiration dates on. It could be a bug, see if you can create a small test case that calls gnutls_x509_crt_list_verify on a chain which doesn't fail but should. /Simon _______________________________________________ Help-gnutls mailing list [email protected] http://lists.gnu.org/mailman/listinfo/help-gnutls
