gnutls_certificate_verify_peers3(3)

1gnutls_certificate_verify_peers3(3) gnutls gnutls_certificate_verify_peers3(3)
2
3
4

NAME

6       gnutls_certificate_verify_peers3 - API function
7

SYNOPSIS

9       #include <gnutls/gnutls.h>
10
11       int  gnutls_certificate_verify_peers3(gnutls_session_t  session,  const
12       char * hostname, unsigned int * status);
13

ARGUMENTS

15       gnutls_session_t session
16                   is a gnutls session
17
18       const char * hostname
19                   is the expected name of the peer; may be NULL
20
21       unsigned int * status
22                   is the output of the verification
23

DESCRIPTION

25       This function will verify the peer's certificate and store the the sta‐
26       tus  in the  status variable as a bitwise OR of gnutls_certificate_sta‐
27       tus_t values or zero if the certificate is trusted. Note that value  in
28       status  is  set  only when the return value of this function is success
29       (i.e, failure to trust a certificate does not imply a  negative  return
30       value).   The  default  verification flags used by this function can be
31       overridden using gnutls_certificate_set_verify_flags(). See  the  docu‐
32       mentation of gnutls_certificate_verify_peers2() for details in the ver‐
33       ification process.
34
35       This function will take into account the stapled OCSP responses sent by
36       the server, as well as the following X.509 certificate extensions: Name
37       Constraints, Key Usage, and Basic Constraints (pathlen).
38
39       If the  hostname provided is non-NULL then this function  will  compare
40       the  hostname in the certificate against it. The comparison will follow
41       the RFC6125 recommendations. If names do not match the  GNUTLS_CERT_UN‐
42       EXPECTED_OWNER status flag will be set.
43
44       In  order to verify the purpose of the end-certificate (by checking the
45       extended key usage), use gnutls_certificate_verify_peers().
46
47       To avoid denial of service attacks some default upper limits  regarding
48       the  certificate  key size and chain size are set. To override them use
49       gnutls_certificate_set_verify_limits().
50
51       Note that when using raw public-keys verification will not work because
52       there  is  no  corresponding  certificate body belonging to the raw key
53       that  can  be  verified.  In  that  case  this  function  will   return
54       GNUTLS_E_INVALID_REQUEST.
55

RETURNS

57       GNUTLS_E_SUCCESS  [22m(0)  when  the validation is performed, or a negative
58       error code otherwise.  A successful error code means that  the   status
59       parameter must be checked to obtain the validation status.
60

SINCE

62       3.1.4
63

REPORTING BUGS

65       Report bugs to <bugs@gnutls.org>.
66       Home page: https://www.gnutls.org
67
68

COPYRIGHT

70       Copyright © 2001-2023 Free Software Foundation, Inc., and others.
71       Copying  and  distribution  of this file, with or without modification,
72       are permitted in any medium without royalty provided the copyright  no‐
73       tice and this notice are preserved.
74