diff options
author | Nikos Mavrogiannopoulos <nmav@gnutls.org> | 2005-03-06 09:36:28 +0000 |
---|---|---|
committer | Nikos Mavrogiannopoulos <nmav@gnutls.org> | 2005-03-06 09:36:28 +0000 |
commit | e0516d09a008352a3481ea518001ae3f58840a5f (patch) | |
tree | b31c8765df2173ded6659a80a9a4f46ee947ca85 /includes/gnutls | |
parent | 75fdf50a32cbc732f370adf1ec09f1e2053551c7 (diff) | |
download | gnutls-e0516d09a008352a3481ea518001ae3f58840a5f.tar.gz |
Improved the semantics of GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT, to allow
only trusted Version 1 CAs and introduced GNUTLS_VERIFY_ALLOW_ANY_X509_V1_CA_CRT
which has the old semantics.
Diffstat (limited to 'includes/gnutls')
-rw-r--r-- | includes/gnutls/x509.h | 20 |
1 files changed, 13 insertions, 7 deletions
diff --git a/includes/gnutls/x509.h b/includes/gnutls/x509.h index 420253a610..99475d3e00 100644 --- a/includes/gnutls/x509.h +++ b/includes/gnutls/x509.h @@ -289,16 +289,22 @@ int gnutls_pkcs7_delete_crl(gnutls_pkcs7_t pkcs7, int indx); typedef enum gnutls_certificate_verify_flags { GNUTLS_VERIFY_DISABLE_CA_SIGN=1, /* if set a signer does not have to be - * a certificate authority. + * a certificate authority. This flag should normaly + * be disabled, unless you know what this means. */ - GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT=2,/* Allow CA certificates that have version 1. - * This might be dangerous since those haven't - * the basicConstraints extension. - */ - GNUTLS_VERIFY_DO_NOT_ALLOW_SAME=4 /* If a certificate is not signed by anyone - * trusted but exists in the trusted ca list + GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT=2, /* Allow only trusted CA certificates that have version 1. + * This is safer than GNUTLS_VERIFY_ALLOW_ANY_X509_V1_CA_CRT, + * and should be used instead. That way only signers in your + * trusted list will be allowed to have certificates of version 1. + */ + GNUTLS_VERIFY_DO_NOT_ALLOW_SAME=4,/* If a certificate is not signed by anyone + * trusted but exists in the trusted CA list * do not treat it as trusted. */ + GNUTLS_VERIFY_ALLOW_ANY_X509_V1_CA_CRT=8 /* Allow CA certificates that have version 1 (both root + * and intermediate). This might be dangerous since those haven't + * the basicConstraints extension. + */ } gnutls_certificate_verify_flags; int gnutls_x509_crt_check_issuer( gnutls_x509_crt_t cert, |