summaryrefslogtreecommitdiffstats
path: root/doc/functions/gnutls_certificate_verify_peers3
diff options
context:
space:
mode:
authorDaniel Baumann <daniel.baumann@progress-linux.org>2024-04-28 07:33:12 +0000
committerDaniel Baumann <daniel.baumann@progress-linux.org>2024-04-28 07:33:12 +0000
commit36082a2fe36ecd800d784ae44c14f1f18c66a7e9 (patch)
tree6c68e0c0097987aff85a01dabddd34b862309a7c /doc/functions/gnutls_certificate_verify_peers3
parentInitial commit. (diff)
downloadgnutls28-36082a2fe36ecd800d784ae44c14f1f18c66a7e9.tar.xz
gnutls28-36082a2fe36ecd800d784ae44c14f1f18c66a7e9.zip
Adding upstream version 3.7.9.upstream/3.7.9upstream
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to 'doc/functions/gnutls_certificate_verify_peers3')
-rw-r--r--doc/functions/gnutls_certificate_verify_peers344
1 files changed, 44 insertions, 0 deletions
diff --git a/doc/functions/gnutls_certificate_verify_peers3 b/doc/functions/gnutls_certificate_verify_peers3
new file mode 100644
index 0000000..7cb1d79
--- /dev/null
+++ b/doc/functions/gnutls_certificate_verify_peers3
@@ -0,0 +1,44 @@
+
+
+
+
+@deftypefun {int} {gnutls_certificate_verify_peers3} (gnutls_session_t @var{session}, const char * @var{hostname}, unsigned int * @var{status})
+@var{session}: is a gnutls session
+
+@var{hostname}: is the expected name of the peer; may be @code{NULL}
+
+@var{status}: is the output of the verification
+
+This function will verify the peer's certificate and store the
+the status in the @code{status} variable as a bitwise OR of gnutls_certificate_status_t
+values or zero if the certificate is trusted. Note that value in @code{status} is set only when the return value of this function is success (i.e, failure
+to trust a certificate does not imply a negative return value).
+The default verification flags used by this function can be overridden
+using @code{gnutls_certificate_set_verify_flags()} . See the documentation
+of @code{gnutls_certificate_verify_peers2()} for details in the verification process.
+
+This function will take into account the stapled OCSP responses sent by the server,
+as well as the following X.509 certificate extensions: Name Constraints,
+Key Usage, and Basic Constraints (pathlen).
+
+If the @code{hostname} provided is non-NULL then this function will compare
+the hostname in the certificate against it. The comparison will follow
+the RFC6125 recommendations. If names do not match the
+@code{GNUTLS_CERT_UNEXPECTED_OWNER} status flag will be set.
+
+In order to verify the purpose of the end-certificate (by checking the extended
+key usage), use @code{gnutls_certificate_verify_peers()} .
+
+To avoid denial of service attacks some
+default upper limits regarding the certificate key size and chain
+size are set. To override them use @code{gnutls_certificate_set_verify_limits()} .
+
+Note that when using raw public-keys verification will not work because there is
+no corresponding certificate body belonging to the raw key that can be verified. In that
+case this function will return @code{GNUTLS_E_INVALID_REQUEST} .
+
+@strong{Returns:} @code{GNUTLS_E_SUCCESS} (0) when the validation is performed, or a negative error code otherwise.
+A successful error code means that the @code{status} parameter must be checked to obtain the validation status.
+
+@strong{Since:} 3.1.4
+@end deftypefun