Improved the semantics of GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT, to allow

only trusted Version 1 CAs and introduced GNUTLS_VERIFY_ALLOW_ANY_X509_V1_CA_CRT which has the old semantics.
author: Nikos Mavrogiannopoulos <nmav@gnutls.org> 2005-03-06 09:36:28 +0000
committer: Nikos Mavrogiannopoulos <nmav@gnutls.org> 2005-03-06 09:36:28 +0000
commit: e0516d09a008352a3481ea518001ae3f58840a5f (patch)
tree: b31c8765df2173ded6659a80a9a4f46ee947ca85 /includes/gnutls
parent: 75fdf50a32cbc732f370adf1ec09f1e2053551c7 (diff)
download: gnutls-e0516d09a008352a3481ea518001ae3f58840a5f.tar.gz
1 files changed, 13 insertions, 7 deletions
diff --git a/includes/gnutls/x509.h b/includes/gnutls/x509.h
index 420253a610..99475d3e00 100644
--- a/includes/gnutls/x509.h
+++ b/includes/gnutls/x509.h
@@ -289,16 +289,22 @@ int gnutls_pkcs7_delete_crl(gnutls_pkcs7_t pkcs7, int indx);
 
 typedef enum gnutls_certificate_verify_flags {
     GNUTLS_VERIFY_DISABLE_CA_SIGN=1, /* if set a signer does not have to be
-                                      * a certificate authority.
+                                      * a certificate authority. This flag should normaly 
+                                      * be disabled, unless you know what this means.
                                       */
-    GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT=2,/* Allow CA certificates that have version 1.
-	                                  * This might be dangerous since those haven't
-	                                  * the basicConstraints extension.
-					  */
-    GNUTLS_VERIFY_DO_NOT_ALLOW_SAME=4 /* If a certificate is not signed by anyone
-                                       * trusted but exists in the trusted ca list
+    GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT=2, /* Allow only trusted CA certificates that have version 1.
+                                           * This is safer than GNUTLS_VERIFY_ALLOW_ANY_X509_V1_CA_CRT,
+                                           * and should be used instead. That way only signers in your 
+                                           * trusted list will be allowed to have certificates of version 1.
+                                           */
+    GNUTLS_VERIFY_DO_NOT_ALLOW_SAME=4,/* If a certificate is not signed by anyone
+                                       * trusted but exists in the trusted CA list
                                        * do not treat it as trusted.
                                        */
+    GNUTLS_VERIFY_ALLOW_ANY_X509_V1_CA_CRT=8 /* Allow CA certificates that have version 1 (both root
+                                              * and intermediate). This might be dangerous since those haven't
+	                                      * the basicConstraints extension.
+					      */
 } gnutls_certificate_verify_flags;
 
 int gnutls_x509_crt_check_issuer( gnutls_x509_crt_t cert,
author	Nikos Mavrogiannopoulos <nmav@gnutls.org>	2005-03-06 09:36:28 +0000
committer	Nikos Mavrogiannopoulos <nmav@gnutls.org>	2005-03-06 09:36:28 +0000
commit	e0516d09a008352a3481ea518001ae3f58840a5f (patch)
tree	b31c8765df2173ded6659a80a9a4f46ee947ca85 /includes/gnutls
parent	75fdf50a32cbc732f370adf1ec09f1e2053551c7 (diff)
download	gnutls-e0516d09a008352a3481ea518001ae3f58840a5f.tar.gz