Thanks, I've fixed the documentation in Git already. -Christian
On 3/2/21 3:42 PM, folkert wrote:
> Hi,
>
> (I've sent an e-mail about this possible problem to the maintainer
> as well)
>
> https://www.gnu.org/software/libmicrohttpd/tutorial.html#Adding-a-layer-of-security
> shows an example for performing client certificate authentication.
>
> The function get_client_certificate invokes
> gnutls_certificate_verify_peers2 to verify the validness of the
> certificate.
> That gnutls_certificate_verify_peers2 function returns a result code but
> also a status-code. According to
> https://www.gnutls.org/manual/html_node/Core-TLS-API.html the result
> code only tells you whether the evaluation itself went well, not if the
> certificate is valid. For that second part, one would need to evaluate
> the second parameter ("unsigned int * status") which contains the status
> of the certificate, see
> https://www.gnu.org/software/gnutls/reference/gnutls-gnutls.html#gnutls-certificate-status-t
> So only if that status (client_cert_status in the example) is 0, the
> certificate should be used.
>
> In my opinion the example should be changed to verify that status as
> people may use the example "as is", potentially implementing
> security-problems in software using it.
>
> Hopefully I'm wrong in my analysis!
>
>
> Regards,
>
> Folkert van Heusden
>
