diff options
author | Nikos Mavrogiannopoulos <nmav@redhat.com> | 2017-07-11 08:51:07 +0200 |
---|---|---|
committer | Nikos Mavrogiannopoulos <nmav@redhat.com> | 2017-07-11 08:54:38 +0200 |
commit | 50592741521d1e2944fab8b5e5a9506a39187453 (patch) | |
tree | 43244b02ddc63ac5db62785dd1c81fe4de7315af | |
parent | 03ce45b74beab5b288f4689862465b8a2e02c207 (diff) | |
download | gnutls-50592741521d1e2944fab8b5e5a9506a39187453.tar.gz |
doc: updated documentation on client authentication [ci skip]
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
-rw-r--r-- | doc/cha-gtls-app.texi | 15 | ||||
-rw-r--r-- | lib/includes/gnutls/gnutls.h.in | 2 |
2 files changed, 15 insertions, 2 deletions
diff --git a/doc/cha-gtls-app.texi b/doc/cha-gtls-app.texi index 8fcb6dfe0a..c7349bd7fe 100644 --- a/doc/cha-gtls-app.texi +++ b/doc/cha-gtls-app.texi @@ -580,7 +580,7 @@ algorithm preferences. To get those preferences use @funcref{gnutls_sign_algorithm_get_requested}. Both functions are shown below. @showfuncC{gnutls_certificate_set_retrieve_function,gnutls_certificate_set_retrieve_function2,gnutls_sign_algorithm_get_requested} -c + The functions above do not handle the requested server name automatically. A server would need to check the name requested by the client using @funcref{gnutls_server_name_get}, and serve the appropriate @@ -627,6 +627,19 @@ signed by server's acceptable signers. @showfuncdesc{gnutls_certificate_send_x509_rdn_sequence} +On the client side, it needs to set its certificates on the credentials +structure, similarly to server side from a file, or via a callback. Once the +certificates are available in the credentials structure, the client will +send them if during the handshake the server requests a certificate signed +by the issuer of its CA. + +In the case a single certificate is available and the server does not +specify a signer's list, then that certificate is always sent. It is, +however possible, to send a certificate even when the advertised CA +list by the server contains CAs other than its signer. That can be achieved +using the @code{GNUTLS_FORCE_CLIENT_CERT} flag in @funcref{gnutls_init}. + +@showfuncC{gnutls_certificate_set_x509_key_file,gnutls_certificate_set_x509_simple_pkcs12_file,gnutls_certificate_set_retrieve_function2} @subsubheading Client or server certificate verification diff --git a/lib/includes/gnutls/gnutls.h.in b/lib/includes/gnutls/gnutls.h.in index fff7b47d10..ff8eddd469 100644 --- a/lib/includes/gnutls/gnutls.h.in +++ b/lib/includes/gnutls/gnutls.h.in @@ -355,7 +355,7 @@ typedef enum { * @GNUTLS_NO_REPLAY_PROTECTION: Disable any replay protection in DTLS. This must only be used if replay protection is achieved using other means. Since 3.2.2. * @GNUTLS_ALLOW_ID_CHANGE: Allow the peer to replace its certificate, or change its ID during a rehandshake. This change is often used in attacks and thus prohibited by default. Since 3.5.0. * @GNUTLS_ENABLE_FALSE_START: Enable the TLS false start on client side if the negotiated ciphersuites allow it. This will enable sending data prior to the handshake being complete, and may introduce a risk of crypto failure when combined with certain key exchanged; for that GnuTLS may not enable that option in ciphersuites that are known to be not safe for false start. Since 3.5.0. - * @GNUTLS_FORCE_CLIENT_CERT: When in client side and only a single cert is specified, send that certificate irrespective of the issuers expectated by the server. Since 3.5.0. + * @GNUTLS_FORCE_CLIENT_CERT: When in client side and only a single cert is specified, send that certificate irrespective of the issuers expected by the server. Since 3.5.0. * @GNUTLS_NO_TICKETS: Flag to indicate that the session should not use resumption with session tickets. * * Enumeration of different flags for gnutls_init() function. All the flags |