When operating in the context of a TLS session, the trusted certificate authority list may also be set using:
Then it is not required to setup a trusted list as above. The function gnutls_certificate_verify_peers2 may then be used to verify the peer’s certificate chain. The flags are set similarly to the verification functions in the previous section.
There is also the possibility to pass some input to the verification
functions in the form of flags. For gnutls_x509_trust_list_verify_crt the
flags are passed straightforward, but
gnutls_certificate_verify_peers2 depends on the flags set by
calling gnutls_certificate_set_verify_flags. All the available
flags are part of the enumeration
gnutls_certificate_verify_flags shown in gnutls_certificate_verify_flags.
If set a signer does not have to be a certificate authority. This flag should normaly be disabled, unless you know what this means.
Allow trusted CA certiï¬cates
with version 1. This is safer than
and should be used instead. That way only signers in your trusted list
will be allowed to have certiï¬cates of version 1. This is the default.
If a certificate is not signed by anyone trusted but exists in the trusted CA list do not treat it as trusted.
Allow CA certificates that
have version 1 (both root and intermediate). This might be
dangerous since those haven’t the basicConstraints
extension. Must be used in combination with
Allow certificates to be signed using the broken MD2 algorithm.
Allow certificates to be signed using the broken MD5 algorithm.
Disable checking of activation and expiration validity periods of certificate chains. Don’t set this unless you understand the security implications.
If set a signer in the trusted list is never checked for expiration or activation.
Do not allow trusted CA certificates that have version 1. This option is to be used to deprecate all certificates of version 1.
Disable checking for validity using certificate revocation lists.
Figure 4.3: The
Although the verification of a certificate path indicates that the certificate is signed by trusted authority, does not reveal anything about the peer’s identity. It is required to verify if the certificate’s owner is the one you expect. For more information consult [RFC2818] and section ex:verify for an example.