diff options
Diffstat (limited to 'doc/enums/gnutls_certificate_verify_flags')
| -rw-r--r-- | doc/enums/gnutls_certificate_verify_flags | 65 |
1 files changed, 65 insertions, 0 deletions
diff --git a/doc/enums/gnutls_certificate_verify_flags b/doc/enums/gnutls_certificate_verify_flags new file mode 100644 index 0000000..c3c71a0 --- /dev/null +++ b/doc/enums/gnutls_certificate_verify_flags @@ -0,0 +1,65 @@ + + +@c gnutls_certificate_verify_flags +@table @code +@item GNUTLS_@-VERIFY_@-DISABLE_@-CA_@-SIGN +If set a signer does not have to be +a certificate authority. This flag should normally be disabled, +unless you know what this means. +@item GNUTLS_@-VERIFY_@-DO_@-NOT_@-ALLOW_@-IP_@-MATCHES +When verifying a hostname +prevent textual IP addresses from matching IP addresses in the +certificate. Treat the input only as a DNS name. +@item GNUTLS_@-VERIFY_@-DO_@-NOT_@-ALLOW_@-SAME +If a certificate is not signed by +anyone trusted but exists in the trusted CA list do not treat it +as trusted. +@item GNUTLS_@-VERIFY_@-ALLOW_@-ANY_@-X509_@-V1_@-CA_@-CRT +Allow CA certificates that +have version 1 (both root and intermediate). This might be +dangerous since those haven't the basicConstraints +extension. +@item GNUTLS_@-VERIFY_@-ALLOW_@-SIGN_@-RSA_@-MD2 +Allow certificates to be signed +using the broken MD2 algorithm. +@item GNUTLS_@-VERIFY_@-ALLOW_@-SIGN_@-RSA_@-MD5 +Allow certificates to be signed +using the broken MD5 algorithm. +@item GNUTLS_@-VERIFY_@-DISABLE_@-TIME_@-CHECKS +Disable checking of activation +and expiration validity periods of certificate chains. Don't set +this unless you understand the security implications. +@item GNUTLS_@-VERIFY_@-DISABLE_@-TRUSTED_@-TIME_@-CHECKS +If set a signer in the trusted +list is never checked for expiration or activation. +@item GNUTLS_@-VERIFY_@-DO_@-NOT_@-ALLOW_@-X509_@-V1_@-CA_@-CRT +Do not allow trusted CA +certificates that have version 1. This option is to be used +to deprecate all certificates of version 1. +@item GNUTLS_@-VERIFY_@-DISABLE_@-CRL_@-CHECKS +Disable checking for validity +using certificate revocation lists or the available OCSP data. +@item GNUTLS_@-VERIFY_@-ALLOW_@-UNSORTED_@-CHAIN +A certificate chain is tolerated +if unsorted (the case with many TLS servers out there). This is the +default since GnuTLS 3.1.4. +@item GNUTLS_@-VERIFY_@-DO_@-NOT_@-ALLOW_@-UNSORTED_@-CHAIN +Do not tolerate an unsorted +certificate chain. +@item GNUTLS_@-VERIFY_@-DO_@-NOT_@-ALLOW_@-WILDCARDS +When including a hostname +check in the verification, do not consider any wildcards. +@item GNUTLS_@-VERIFY_@-USE_@-TLS1_@-RSA +This indicates that a (raw) RSA signature is provided +as in the TLS 1.0 protocol. Not all functions accept this flag. +@item GNUTLS_@-VERIFY_@-IGNORE_@-UNKNOWN_@-CRIT_@-EXTENSIONS +This signals the verification +process, not to fail on unknown critical extensions. +@item GNUTLS_@-VERIFY_@-ALLOW_@-SIGN_@-WITH_@-SHA1 +Allow certificates to be signed +using the broken SHA1 hash algorithm. +@item GNUTLS_@-VERIFY_@-RSA_@-PSS_@-FIXED_@-SALT_@-LENGTH +Disallow RSA-PSS signatures made +with mismatching salt length with digest length, as mandated in RFC 8446 +4.2.3. +@end table |