I work on a project where we have written a client and server that use GnuTLS to communicate. Specifically, the client and server use gnutls_certificate_set_x509_trust_file() to load a CA and gnutls_certificate_set_x509_simple_pkcs12_file() to load a password protected certificate/key pair.
Recently we have had an experience attempting to communicate using certificates that have expired. When using certs that have expired, the call to gnutls_certificate_verify_peers2() will set the GNUTLS_CERT_EXPIRED flag in the 'status' variable (assuming GnuTLS 2.6.6 or later---thanks for adding this check). What we would rather have happen is that when the client or server start, they check the expiration times on the certificates they read, and exit if they find no valid certificates. This saves us from attempting a connection that is going to be rejected because of the expired certificates. Once we've loaded the CA into the gnutls_certificate_credentials_t structure, we can use gnutls_certificate_get_x509_cas() to loop over the CAs and check their activation and expiration times (using gnutls_x509_crt_get_activation_time()). However, we don't see a way to do that with the certificate/key pair that we load. gnutls_x509_crt_list_verify() looks close, however it does not check the activation/expiration times, and we haven't found a function that lets me get a certificate list from a gnutls_certificate_credentials_t structure. Are we missing something? Are there other suggestions on how to perform this check? -- Michael Welsh Duggan ([email protected]) _______________________________________________ Help-gnutls mailing list [email protected] http://lists.gnu.org/mailman/listinfo/help-gnutls
