Hi, (I've sent an e-mail about this possible problem to the maintainer as well)
https://www.gnu.org/software/libmicrohttpd/tutorial.html#Adding-a-layer-of-security shows an example for performing client certificate authentication. The function get_client_certificate invokes gnutls_certificate_verify_peers2 to verify the validness of the certificate. That gnutls_certificate_verify_peers2 function returns a result code but also a status-code. According to https://www.gnutls.org/manual/html_node/Core-TLS-API.html the result code only tells you whether the evaluation itself went well, not if the certificate is valid. For that second part, one would need to evaluate the second parameter ("unsigned int * status") which contains the status of the certificate, see https://www.gnu.org/software/gnutls/reference/gnutls-gnutls.html#gnutls-certificate-status-t So only if that status (client_cert_status in the example) is 0, the certificate should be used. In my opinion the example should be changed to verify that status as people may use the example "as is", potentially implementing security-problems in software using it. Hopefully I'm wrong in my analysis! Regards, Folkert van Heusden -- Always wondered what the latency of your webserver is? Or how much more latency you get when you go through a proxy server/tor? The numbers tell the tale and with HTTPing you know them! http://www.vanheusden.com/httping/
