1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
|
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<!-- This manual is last updated 4 March 2015 for version
3.4.8 of GnuTLS.
Copyright (C) 2001-2015 Free Software Foundation, Inc.\\
Copyright (C) 2001-2015 Nikos Mavrogiannopoulos
Permission is granted to copy, distribute and/or modify this document
under the terms of the GNU Free Documentation License, Version 1.3 or
any later version published by the Free Software Foundation; with no
Invariant Sections, no Front-Cover Texts, and no Back-Cover Texts. A
copy of the license is included in the section entitled "GNU Free
Documentation License". -->
<!-- Created by GNU Texinfo 6.0, http://www.gnu.org/software/texinfo/ -->
<head>
<title>GnuTLS 3.4.8: Certificate credentials</title>
<meta name="description" content="GnuTLS 3.4.8: Certificate credentials">
<meta name="keywords" content="GnuTLS 3.4.8: Certificate credentials">
<meta name="resource-type" content="document">
<meta name="distribution" content="global">
<meta name="Generator" content="makeinfo">
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<link href="index.html#Top" rel="start" title="Top">
<link href="Function-and-Data-Index.html#Function-and-Data-Index" rel="index" title="Function and Data Index">
<link href="index.html#SEC_Contents" rel="contents" title="Table of Contents">
<link href="Associating-the-credentials.html#Associating-the-credentials" rel="up" title="Associating the credentials">
<link href="SRP-credentials.html#SRP-credentials" rel="next" title="SRP credentials">
<link href="Associating-the-credentials.html#Associating-the-credentials" rel="prev" title="Associating the credentials">
<style type="text/css">
<!--
a.summary-letter {text-decoration: none}
blockquote.indentedblock {margin-right: 0em}
blockquote.smallindentedblock {margin-right: 0em; font-size: smaller}
blockquote.smallquotation {font-size: smaller}
div.display {margin-left: 3.2em}
div.example {margin-left: 3.2em}
div.lisp {margin-left: 3.2em}
div.smalldisplay {margin-left: 3.2em}
div.smallexample {margin-left: 3.2em}
div.smalllisp {margin-left: 3.2em}
kbd {font-style: oblique}
pre.display {font-family: inherit}
pre.format {font-family: inherit}
pre.menu-comment {font-family: serif}
pre.menu-preformatted {font-family: serif}
pre.smalldisplay {font-family: inherit; font-size: smaller}
pre.smallexample {font-size: smaller}
pre.smallformat {font-family: inherit; font-size: smaller}
pre.smalllisp {font-size: smaller}
span.nocodebreak {white-space: nowrap}
span.nolinebreak {white-space: nowrap}
span.roman {font-family: serif; font-weight: normal}
span.sansserif {font-family: sans-serif; font-weight: normal}
ul.no-bullet {list-style: none}
body {
margin: 2%;
padding: 0 5%;
background: #ffffff;
}
h1,h2,h3,h4,h5 {
font-weight: bold;
padding: 5px 5px 5px 5px;
background-color: #c2e0ff;
color: #336699;
}
h1 {
padding: 2em 2em 2em 5%;
color: white;
background: #336699;
text-align: center;
letter-spacing: 3px;
}
h2 { text-decoration: underline; }
pre {
margin: 0 5%;
padding: 0.5em;
}
pre.example,pre.verbatim {
padding-bottom: 1em;
border: solid #c2e0ff;
background: #f0faff;
border-width: 1px 1px 1px 5px;
margin: 1em auto;
width: 90%;
}
div.node {
margin: 0 -5% 0 -2%;
padding: 0.5em 0.5em;
margin-top: 0.5em;
margin-bottom: 0.5em;
font-weight: bold;
}
dd, li {
padding-top: 0.1em;
padding-bottom: 0.1em;
}
div.float {
margin-bottom: 0.5em;
text-align: center;
}
table {
text-align: left;
margin-left:auto;
margin-right:auto;
border-spacing: 7px;
width: 50%;
}
th {
padding: 0;
color: #336699;
background-color: #c2e0ff;
border: solid #000000;
border-width: 0px;
margin: 1em auto;
text-align: center;
margin-left:auto;
margin-right:auto;
}
td {
padding: 0;
border: solid #000000;
background-color: #f0faff;
border-width: 0px;
margin: 1em auto;
text-align: left;
margin-left:auto;
margin-right:auto;
padding-left: 1em;
}
dl {
text-align: left;
margin-left:auto;
margin-right:auto;
width: 50%;
padding-left: 1em;
border: solid #c2e0ff;
background: #f0faff;
border-width: 5px 1px 1px 1px;
margin: 1em auto;
}
-->
</style>
</head>
<body lang="en">
<a name="Certificate-credentials"></a>
<div class="header">
<p>
Next: <a href="SRP-credentials.html#SRP-credentials" accesskey="n" rel="next">SRP credentials</a>, Up: <a href="Associating-the-credentials.html#Associating-the-credentials" accesskey="u" rel="up">Associating the credentials</a> [<a href="index.html#SEC_Contents" title="Table of contents" rel="contents">Contents</a>][<a href="Function-and-Data-Index.html#Function-and-Data-Index" title="Index" rel="index">Index</a>]</p>
</div>
<hr>
<a name="Certificates"></a>
<h4 class="subsection">6.4.1 Certificates</h4>
<a name="Server-certificate-authentication"></a>
<h4 class="subsubheading">Server certificate authentication</h4>
<p>When using certificates the server is required to have at least one
certificate and private key pair. Clients may not hold such
a pair, but a server could require it. In this section we discuss
general issues applying to both client and server certificates. The next
section will elaborate on issues arising from client authentication only.
</p>
<dl compact="compact">
<dt><code><var>int</var> <a href="Core-TLS-API.html#gnutls_005fcertificate_005fallocate_005fcredentials">gnutls_certificate_allocate_credentials</a> (gnutls_certificate_credentials_t * <var>res</var>)</code></dt>
<dt><code><var>void</var> <a href="Core-TLS-API.html#gnutls_005fcertificate_005ffree_005fcredentials">gnutls_certificate_free_credentials</a> (gnutls_certificate_credentials_t <var>sc</var>)</code></dt>
</dl>
<p>After the credentials structures are initialized, the certificate
and key pair must be loaded. This occurs before any <acronym>TLS</acronym>
session is initialized, and the same structures are reused for multiple sessions.
Depending on the certificate type different loading functions
are available, as shown below.
For <acronym>X.509</acronym> certificates, the functions will
accept and use a certificate chain that leads to a trusted
authority. The certificate chain must be ordered in such way that every
certificate certifies the one before it. The trusted authority’s
certificate need not to be included since the peer should possess it
already.
</p>
<dl compact="compact">
<dt><code><var>int</var> <a href="Core-TLS-API.html#gnutls_005fcertificate_005fset_005fx509_005fkey_005ffile2">gnutls_certificate_set_x509_key_file2</a> (gnutls_certificate_credentials_t <var>res</var>, const char * <var>certfile</var>, const char * <var>keyfile</var>, gnutls_x509_crt_fmt_t <var>type</var>, const char * <var>pass</var>, unsigned int <var>flags</var>)</code></dt>
<dt><code><var>int</var> <a href="Core-TLS-API.html#gnutls_005fcertificate_005fset_005fx509_005fkey_005fmem2">gnutls_certificate_set_x509_key_mem2</a> (gnutls_certificate_credentials_t <var>res</var>, const gnutls_datum_t * <var>cert</var>, const gnutls_datum_t * <var>key</var>, gnutls_x509_crt_fmt_t <var>type</var>, const char * <var>pass</var>, unsigned int <var>flags</var>)</code></dt>
<dt><code><var>int</var> <a href="Core-TLS-API.html#gnutls_005fcertificate_005fset_005fx509_005fkey">gnutls_certificate_set_x509_key</a> (gnutls_certificate_credentials_t <var>res</var>, gnutls_x509_crt_t * <var>cert_list</var>, int <var>cert_list_size</var>, gnutls_x509_privkey_t <var>key</var>)</code></dt>
</dl>
<dl compact="compact">
<dt><code><var>int</var> <a href="OpenPGP-API.html#gnutls_005fcertificate_005fset_005fopenpgp_005fkey_005ffile">gnutls_certificate_set_openpgp_key_file</a> (gnutls_certificate_credentials_t <var>res</var>, const char * <var>certfile</var>, const char * <var>keyfile</var>, gnutls_openpgp_crt_fmt_t <var>format</var>)</code></dt>
<dt><code><var>int</var> <a href="OpenPGP-API.html#gnutls_005fcertificate_005fset_005fopenpgp_005fkey_005fmem">gnutls_certificate_set_openpgp_key_mem</a> (gnutls_certificate_credentials_t <var>res</var>, const gnutls_datum_t * <var>cert</var>, const gnutls_datum_t * <var>key</var>, gnutls_openpgp_crt_fmt_t <var>format</var>)</code></dt>
<dt><code><var>int</var> <a href="OpenPGP-API.html#gnutls_005fcertificate_005fset_005fopenpgp_005fkey">gnutls_certificate_set_openpgp_key</a> (gnutls_certificate_credentials_t <var>res</var>, gnutls_openpgp_crt_t <var>crt</var>, gnutls_openpgp_privkey_t <var>pkey</var>)</code></dt>
</dl>
<p>It is recommended to use the higher level functions such as <a href="Core-TLS-API.html#gnutls_005fcertificate_005fset_005fx509_005fkey_005ffile2">gnutls_certificate_set_x509_key_file2</a>
which accept not only file names but URLs that specify objects stored in token,
or system certificates and keys (see <a href="Application_002dspecific-keys.html#Application_002dspecific-keys">Application-specific keys</a>). For these cases, another important
function is <a href="Core-TLS-API.html#gnutls_005fcertificate_005fset_005fpin_005ffunction">gnutls_certificate_set_pin_function</a>, that
allows setting a callback function to retrieve a PIN if the input keys are
protected by PIN.
</p>
<dl>
<dt><a name="index-gnutls_005fcertificate_005fset_005fpin_005ffunction"></a>Function: <em>void</em> <strong>gnutls_certificate_set_pin_function</strong> <em>(gnutls_certificate_credentials_t <var>cred</var>, gnutls_pin_callback_t <var>fn</var>, void * <var>userdata</var>)</em></dt>
<dd><p><var>cred</var>: is a <code>gnutls_certificate_credentials_t</code> type.
</p>
<p><var>fn</var>: A PIN callback
</p>
<p><var>userdata</var>: Data to be passed in the callback
</p>
<p>This function will set a callback function to be used when
required to access a protected object. This function overrides any other
global PIN functions.
</p>
<p>Note that this function must be called right after initialization
to have effect.
</p>
<p><strong>Since:</strong> 3.1.0
</p></dd></dl>
<p>If the imported keys and certificates need to be accessed before any TLS session
is established, it is convenient to use <a href="Abstract-key-API.html#gnutls_005fcertificate_005fset_005fkey">gnutls_certificate_set_key</a>
in combination with <a href="Abstract-key-API.html#gnutls_005fpcert_005fimport_005fx509_005fraw">gnutls_pcert_import_x509_raw</a> and <a href="Abstract-key-API.html#gnutls_005fprivkey_005fimport_005fx509_005fraw">gnutls_privkey_import_x509_raw</a>.
</p>
<dl>
<dt><a name="index-gnutls_005fcertificate_005fset_005fkey"></a>Function: <em>int</em> <strong>gnutls_certificate_set_key</strong> <em>(gnutls_certificate_credentials_t <var>res</var>, const char ** <var>names</var>, int <var>names_size</var>, gnutls_pcert_st * <var>pcert_list</var>, int <var>pcert_list_size</var>, gnutls_privkey_t <var>key</var>)</em></dt>
<dd><p><var>res</var>: is a <code>gnutls_certificate_credentials_t</code> type.
</p>
<p><var>names</var>: is an array of DNS name of the certificate (NULL if none)
</p>
<p><var>names_size</var>: holds the size of the names list
</p>
<p><var>pcert_list</var>: contains a certificate list (path) for the specified private key
</p>
<p><var>pcert_list_size</var>: holds the size of the certificate list
</p>
<p><var>key</var>: is a <code>gnutls_privkey_t</code> key
</p>
<p>This function sets a certificate/private key pair in the
gnutls_certificate_credentials_t type. This function may be
called more than once, in case multiple keys/certificates exist for
the server. For clients that wants to send more than its own end
entity certificate (e.g., also an intermediate CA cert) then put
the certificate chain in <code>pcert_list</code> .
</p>
<p>Note that the <code>pcert_list</code> and <code>key</code> will become part of the credentials
structure and must not be deallocated. They will be automatically deallocated
when the <code>res</code> type is deinitialized.
</p>
<p>If that function fails to load the <code>res</code> structure is at an undefined state, it must
not be reused to load other keys or certificates.
</p>
<p><strong>Returns:</strong> <code>GNUTLS_E_SUCCESS</code> (0) on success, or a negative error code.
</p>
<p><strong>Since:</strong> 3.0
</p></dd></dl>
<p>If multiple certificates are used with the functions above each
client’s request will be served with the certificate that matches the
requested name (see <a href="Server-name-indication.html#Server-name-indication">Server name indication</a>).
</p>
<p>As an alternative to loading from files or buffers, a callback may be used for the
server or the client to specify the certificate and the key at the handshake time.
In that case a certificate should be selected according the peer’s signature
algorithm preferences. To get those preferences use
<a href="Core-TLS-API.html#gnutls_005fsign_005falgorithm_005fget_005frequested">gnutls_sign_algorithm_get_requested</a>. Both functions are shown below.
</p>
<dl compact="compact">
<dt><code><var>void</var> <a href="Core-TLS-API.html#gnutls_005fcertificate_005fset_005fretrieve_005ffunction">gnutls_certificate_set_retrieve_function</a> (gnutls_certificate_credentials_t <var>cred</var>, gnutls_certificate_retrieve_function * <var>func</var>)</code></dt>
<dt><code><var>void</var> <a href="Abstract-key-API.html#gnutls_005fcertificate_005fset_005fretrieve_005ffunction2">gnutls_certificate_set_retrieve_function2</a> (gnutls_certificate_credentials_t <var>cred</var>, gnutls_certificate_retrieve_function2 * <var>func</var>)</code></dt>
<dt><code><var>int</var> <a href="Core-TLS-API.html#gnutls_005fsign_005falgorithm_005fget_005frequested">gnutls_sign_algorithm_get_requested</a> (gnutls_session_t <var>session</var>, size_t <var>indx</var>, gnutls_sign_algorithm_t * <var>algo</var>)</code></dt>
</dl>
<p>c
The functions above do not handle the requested server name automatically.
A server would need to check the name requested by the client
using <a href="Core-TLS-API.html#gnutls_005fserver_005fname_005fget">gnutls_server_name_get</a>, and serve the appropriate
certificate. Note that some of these functions require the <code>gnutls_pcert_st</code> structure to be
filled in. Helper functions to fill in the structure are listed below.
</p>
<pre class="verbatim">typedef struct gnutls_pcert_st
{
gnutls_pubkey_t pubkey;
gnutls_datum_t cert;
gnutls_certificate_type_t type;
} gnutls_pcert_st;
</pre>
<dl compact="compact">
<dt><code><var>int</var> <a href="Abstract-key-API.html#gnutls_005fpcert_005fimport_005fx509">gnutls_pcert_import_x509</a> (gnutls_pcert_st * <var>pcert</var>, gnutls_x509_crt_t <var>crt</var>, unsigned int <var>flags</var>)</code></dt>
<dt><code><var>int</var> <a href="Abstract-key-API.html#gnutls_005fpcert_005fimport_005fopenpgp">gnutls_pcert_import_openpgp</a> (gnutls_pcert_st * <var>pcert</var>, gnutls_openpgp_crt_t <var>crt</var>, unsigned int <var>flags</var>)</code></dt>
<dt><code><var>int</var> <a href="Abstract-key-API.html#gnutls_005fpcert_005fimport_005fx509_005fraw">gnutls_pcert_import_x509_raw</a> (gnutls_pcert_st * <var>pcert</var>, const gnutls_datum_t * <var>cert</var>, gnutls_x509_crt_fmt_t <var>format</var>, unsigned int <var>flags</var>)</code></dt>
<dt><code><var>int</var> <a href="Abstract-key-API.html#gnutls_005fpcert_005fimport_005fopenpgp_005fraw">gnutls_pcert_import_openpgp_raw</a> (gnutls_pcert_st * <var>pcert</var>, const gnutls_datum_t * <var>cert</var>, gnutls_openpgp_crt_fmt_t <var>format</var>, gnutls_openpgp_keyid_t <var>keyid</var>, unsigned int <var>flags</var>)</code></dt>
<dt><code><var>void</var> <a href="Abstract-key-API.html#gnutls_005fpcert_005fdeinit">gnutls_pcert_deinit</a> (gnutls_pcert_st * <var>pcert</var>)</code></dt>
</dl>
<p>In a handshake, the negotiated cipher suite depends on the
certificate’s parameters, so some key exchange methods might not be
available with all certificates. <acronym>GnuTLS</acronym> will disable
ciphersuites that are not compatible with the key, or the enabled
authentication methods. For example keys marked as sign-only, will
not be able to access the plain RSA ciphersuites, that require
decryption. It is not recommended to use RSA keys for both
signing and encryption. If possible use a different key for the
<code>DHE-RSA</code> which uses signing and <code>RSA</code> that requires decryption.
All the key exchange methods shown in <a href="Certificate-authentication.html#tab_003akey_002dexchange">Table 4.1</a> are
available in certificate authentication.
</p>
<a name="Client-certificate-authentication"></a>
<h4 class="subsubheading">Client certificate authentication</h4>
<p>If a certificate is to be requested from the client during the handshake, the server
will send a certificate request message. This behavior is controlled <a href="Core-TLS-API.html#gnutls_005fcertificate_005fserver_005fset_005frequest">gnutls_certificate_server_set_request</a>.
The request contains a list of the acceptable by the server certificate signers. This list
is constructed using the trusted certificate authorities of the server.
In cases where the server supports a large number of certificate authorities
it makes sense not to advertise all of the names to save bandwidth. That can
be controlled using the function <a href="Core-TLS-API.html#gnutls_005fcertificate_005fsend_005fx509_005frdn_005fsequence">gnutls_certificate_send_x509_rdn_sequence</a>.
This however will have the side-effect of not restricting the client to certificates
signed by server’s acceptable signers.
</p>
<dl>
<dt><a name="index-gnutls_005fcertificate_005fserver_005fset_005frequest"></a>Function: <em>void</em> <strong>gnutls_certificate_server_set_request</strong> <em>(gnutls_session_t <var>session</var>, gnutls_certificate_request_t <var>req</var>)</em></dt>
<dd><p><var>session</var>: is a <code>gnutls_session_t</code> type.
</p>
<p><var>req</var>: is one of GNUTLS_CERT_REQUEST, GNUTLS_CERT_REQUIRE
</p>
<p>This function specifies if we (in case of a server) are going to
send a certificate request message to the client. If <code>req</code> is
GNUTLS_CERT_REQUIRE then the server will return an error if the
peer does not provide a certificate. If you do not call this
function then the client will not be asked to send a certificate.
</p></dd></dl>
<dl>
<dt><a name="index-gnutls_005fcertificate_005fsend_005fx509_005frdn_005fsequence"></a>Function: <em>void</em> <strong>gnutls_certificate_send_x509_rdn_sequence</strong> <em>(gnutls_session_t <var>session</var>, int <var>status</var>)</em></dt>
<dd><p><var>session</var>: a <code>gnutls_session_t</code> type.
</p>
<p><var>status</var>: is 0 or 1
</p>
<p>If status is non zero, this function will order gnutls not to send
the rdnSequence in the certificate request message. That is the
server will not advertise its trusted CAs to the peer. If status
is zero then the default behaviour will take effect, which is to
advertise the server’s trusted CAs.
</p>
<p>This function has no effect in clients, and in authentication
methods other than certificate with X.509 certificates.
</p></dd></dl>
<a name="Client-or-server-certificate-verification"></a>
<h4 class="subsubheading">Client or server certificate verification</h4>
<p>Certificate verification is possible by loading the trusted
authorities into the credentials structure by using
the following functions, applicable to X.509 and OpenPGP certificates.
</p>
<dl compact="compact">
<dt><code><var>int</var> <a href="Core-TLS-API.html#gnutls_005fcertificate_005fset_005fx509_005fsystem_005ftrust">gnutls_certificate_set_x509_system_trust</a> (gnutls_certificate_credentials_t <var>cred</var>)</code></dt>
<dt><code><var>int</var> <a href="Core-TLS-API.html#gnutls_005fcertificate_005fset_005fx509_005ftrust_005ffile">gnutls_certificate_set_x509_trust_file</a> (gnutls_certificate_credentials_t <var>cred</var>, const char * <var>cafile</var>, gnutls_x509_crt_fmt_t <var>type</var>)</code></dt>
<dt><code><var>int</var> <a href="OpenPGP-API.html#gnutls_005fcertificate_005fset_005fopenpgp_005fkeyring_005ffile">gnutls_certificate_set_openpgp_keyring_file</a> (gnutls_certificate_credentials_t <var>c</var>, const char * <var>file</var>, gnutls_openpgp_crt_fmt_t <var>format</var>)</code></dt>
</dl>
<p>The peer’s certificate will be automatically verified if
<a href="Core-TLS-API.html#gnutls_005fsession_005fset_005fverify_005fcert">gnutls_session_set_verify_cert</a> is called prior to handshake.
</p>
<p>Alternatively, one must set a callback function during the handshake
using <a href="Core-TLS-API.html#gnutls_005fcertificate_005fset_005fverify_005ffunction">gnutls_certificate_set_verify_function</a>, which
will verify the peer’s certificate once received. The verification
should happen using <a href="Core-TLS-API.html#gnutls_005fcertificate_005fverify_005fpeers3">gnutls_certificate_verify_peers3</a> within
the callback. It will verify the certificate’s signature and the owner
of the certificate. That will provide a brief verification output. If a
detailed output is required one should call <a href="Core-TLS-API.html#gnutls_005fcertificate_005fget_005fpeers">gnutls_certificate_get_peers</a>
to obtain the raw certificate of the peer and verify it using the
functions discussed in <a href="X_002e509-certificates.html#X_002e509-certificates">X.509 certificates</a>.
</p>
<p>In both the automatic and the manual cases, the verification status returned
can be printed using <a href="Core-TLS-API.html#gnutls_005fcertificate_005fverification_005fstatus_005fprint">gnutls_certificate_verification_status_print</a>.
</p>
<dl>
<dt><a name="index-gnutls_005fsession_005fset_005fverify_005fcert"></a>Function: <em>void</em> <strong>gnutls_session_set_verify_cert</strong> <em>(gnutls_session_t <var>session</var>, const char * <var>hostname</var>, unsigned <var>flags</var>)</em></dt>
<dd><p><var>session</var>: is a gnutls session
</p>
<p><var>hostname</var>: is the expected name of the peer; may be <code>NULL</code>
</p>
<p><var>flags</var>: flags for certificate verification – <code>gnutls_certificate_verify_flags</code>
</p>
<p>This function instructs GnuTLS to verify the peer’s certificate
using the provided hostname. If the verification fails the handshake
will also fail with <code>GNUTLS_E_CERTIFICATE_VERIFICATION_ERROR</code> . In that
case the verification result can be obtained using <code>gnutls_session_get_verify_cert_status()</code> .
</p>
<p>The <code>hostname</code> pointer provided must remain valid for the lifetime
of the session. More precisely it should be available during any subsequent
handshakes. If no hostname is provided, no hostname verification
will be performed. For a more advanced verification function check
<code>gnutls_session_set_verify_cert2()</code> .
</p>
<p>The <code>gnutls_session_set_verify_cert()</code> function is intended to be used by TLS
clients to verify the server’s certificate.
</p>
<p><strong>Since:</strong> 3.4.6
</p></dd></dl>
<dl compact="compact">
<dt><code><var>int</var> <a href="Core-TLS-API.html#gnutls_005fcertificate_005fverify_005fpeers3">gnutls_certificate_verify_peers3</a> (gnutls_session_t <var>session</var>, const char * <var>hostname</var>, unsigned int * <var>status</var>)</code></dt>
<dt><code><var>void</var> <a href="Core-TLS-API.html#gnutls_005fcertificate_005fset_005fverify_005ffunction">gnutls_certificate_set_verify_function</a> (gnutls_certificate_credentials_t <var>cred</var>, gnutls_certificate_verify_function * <var>func</var>)</code></dt>
</dl>
<hr>
<div class="header">
<p>
Next: <a href="SRP-credentials.html#SRP-credentials" accesskey="n" rel="next">SRP credentials</a>, Up: <a href="Associating-the-credentials.html#Associating-the-credentials" accesskey="u" rel="up">Associating the credentials</a> [<a href="index.html#SEC_Contents" title="Table of contents" rel="contents">Contents</a>][<a href="Function-and-Data-Index.html#Function-and-Data-Index" title="Index" rel="index">Index</a>]</p>
</div>
</body>
</html>
|
