1 @node Certificate authentication
2 @chapter Certificate authentication
3 @cindex certificate authentication
5 The most known authentication method of @acronym{TLS} are certificates.
6 The PKIX @xcite{PKIX} public key infrastructure is daily used by anyone
7 using a browser today. @acronym{GnuTLS} supports both
8 @acronym{X.509} certificates @xcite{PKIX} and @acronym{OpenPGP}
9 certificates using a common API.
11 The key exchange algorithms supported by certificate authentication are
12 shown in @ref{tab:key-exchange}.
14 @float Table,tab:key-exchange
15 @multitable @columnfractions .2 .7
17 @headitem Key exchange @tab Description
20 The RSA algorithm is used to encrypt a key and send it to the peer.
21 The certificate must allow the key to be used for encryption.
23 @item RSA_@-EXPORT @tab
24 The RSA algorithm is used to encrypt a key and send it to the peer.
25 In the EXPORT algorithm, the server signs temporary RSA parameters of
26 512 bits --- which are considered weak --- and sends them to the
30 The RSA algorithm is used to sign ephemeral Diffie-Hellman parameters
31 which are sent to the peer. The key in the certificate must allow the
32 key to be used for signing. Note that key exchange algorithms which
33 use ephemeral Diffie-Hellman parameters, offer perfect forward
34 secrecy. That means that even if the private key used for signing is
35 compromised, it cannot be used to reveal past session data.
37 @item ECDHE_@-RSA @tab
38 The RSA algorithm is used to sign ephemeral elliptic curve Diffie-Hellman
39 parameters which are sent to the peer. The key in the certificate must allow
40 the key to be used for signing. It also offers perfect forward
41 secrecy. That means that even if the private key used for signing is
42 compromised, it cannot be used to reveal past session data.
45 The DSA algorithm is used to sign ephemeral Diffie-Hellman parameters
46 which are sent to the peer. The certificate must contain DSA
47 parameters to use this key exchange algorithm. DSA is the algorithm
48 of the Digital Signature Standard (DSS).
50 @item ECDHE_@-ECDSA @tab
51 The Elliptic curve DSA algorithm is used to sign ephemeral elliptic
52 curve Diffie-Hellman parameters which are sent to the peer. The
53 certificate must contain ECDSA parameters (i.e., EC and marked for signing)
54 to use this key exchange algorithm.
57 @caption{Supported key exchange algorithms.}
61 * X.509 certificates::
62 * OpenPGP certificates::
63 * Advanced certificate verification::
64 * Digital signatures::
67 @node X.509 certificates
68 @section @acronym{X.509} certificates
69 @cindex X.509 certificates
71 The @acronym{X.509} protocols rely on a hierarchical trust model. In
72 this trust model Certification Authorities (CAs) are used to certify
73 entities. Usually more than one certification authorities exist, and
74 certification authorities may certify other authorities to issue
75 certificates as well, following a hierarchical model.
77 @float Figure,fig:x509
78 @image{gnutls-x509,7cm}
79 @caption{An example of the X.509 hierarchical trust model.}
82 One needs to trust one or more CAs for his secure communications. In
83 that case only the certificates issued by the trusted authorities are
84 acceptable. The framework is illustrated on @ref{fig:x509}.
87 * X.509 certificate structure::
88 * Importing an X.509 certificate::
89 * X.509 distinguished names::
90 * Verifying X.509 certificate paths::
91 * Verifying a certificate in the context of TLS session::
94 @node X.509 certificate structure
95 @subsection @acronym{X.509} certificate structure
97 An @acronym{X.509} certificate usually contains information about the
98 certificate holder, the signer, a unique serial number, expiration
99 dates and some other fields @xcite{PKIX} as shown in @ref{tab:x509}.
101 @float Table,tab:x509
102 @multitable @columnfractions .2 .7
104 @headitem Field @tab Description
107 The field that indicates the version of the certificate.
109 @item serialNumber @tab
110 This field holds a unique serial number per certificate.
113 The issuing authority's signature.
116 Holds the issuer's distinguished name.
119 The activation and expiration dates.
122 The subject's distinguished name of the certificate.
124 @item extensions @tab
125 The extensions are fields only present in version 3 certificates.
128 @caption{X.509 certificate fields.}
131 The certificate's @emph{subject or issuer name} is not just a single
132 string. It is a Distinguished name and in the @acronym{ASN.1}
133 notation is a sequence of several object identifiers with their corresponding
134 values. Some of available OIDs to be used in an @acronym{X.509}
135 distinguished name are defined in @file{gnutls/x509.h}.
137 The @emph{Version} field in a certificate has values either 1 or 3 for
138 version 3 certificates. Version 1 certificates do not support the
139 extensions field so it is not possible to distinguish a CA from a
140 person, thus their usage should be avoided.
142 The @emph{validity} dates are there to indicate the date that the
143 specific certificate was activated and the date the certificate's key
144 would be considered invalid.
146 Certificate @emph{extensions} are there to include information about
147 the certificate's subject that did not fit in the typical certificate
148 fields. Those may be e-mail addresses, flags that indicate whether the
149 belongs to a CA etc. All the supported @acronym{X.509} version 3
150 extensions are shown in @ref{tab:x509-ext}.
152 @float Table,tab:x509-ext
153 @multitable @columnfractions .3 .2 .4
155 @headitem Extension @tab OID @tab Description
157 @item Subject key id @tab 2.5.29.14 @tab
158 An identifier of the key of the subject.
160 @item Authority key id @tab 2.5.29.35 @tab
161 An identifier of the authority's key used to sign the certificate.
163 @item Subject alternative name @tab 2.5.29.17 @tab
164 Alternative names to subject's distinguished name.
166 @item Key usage @tab 2.5.29.15 @tab
167 Constraints the key's usage of the certificate.
169 @item Extended key usage @tab 2.5.29.37 @tab
170 Constraints the purpose of the certificate.
172 @item Basic constraints @tab 2.5.29.19 @tab
173 Indicates whether this is a CA certificate or not, and specify the
174 maximum path lengths of certificate chains.
176 @item CRL distribution points @tab 2.5.29.31 @tab
177 This extension is set by the CA, in order to inform about the issued
180 @item Proxy Certification Information @tab 1.3.6.1.5.5.7.1.14 @tab
181 Proxy Certificates includes this extension that contains the OID of
182 the proxy policy language used, and can specify limits on the maximum
183 lengths of proxy chains. Proxy Certificates are specified in
187 @caption{X.509 certificate extensions.}
190 In @acronym{GnuTLS} the @acronym{X.509} certificate structures are
191 handled using the @code{gnutls_x509_crt_t} type and the corresponding
192 private keys with the @code{gnutls_x509_privkey_t} type. All the
193 available functions for @acronym{X.509} certificate handling have
194 their prototypes in @file{gnutls/x509.h}. An example program to
195 demonstrate the @acronym{X.509} parsing capabilities can be found in
198 @node Importing an X.509 certificate
199 @subsection Importing an X.509 certificate
201 The certificate structure should be initialized using @funcref{gnutls_x509_crt_init}, and
202 a certificate structure can be imported using @funcref{gnutls_x509_crt_import}.
204 @showfuncC{gnutls_x509_crt_init,gnutls_x509_crt_import,gnutls_x509_crt_deinit}
206 In several functions an array of certificates is required. To assist in initialization
207 and import the following two functions are provided.
209 @showfuncB{gnutls_x509_crt_list_import,gnutls_x509_crt_list_import2}
211 In all cases after use a certificate must be deinitialized using @funcref{gnutls_x509_crt_deinit}.
212 Note that although the functions above apply to @code{gnutls_x509_crt_t} structure, similar functions
213 exist for the CRL structure @code{gnutls_x509_crl_t}.
215 @node X.509 distinguished names
216 @subsection X.509 distinguished names
217 @cindex X.509 distinguished name
219 The ``subject'' of an X.509 certificate is not described by
220 a single name, but rather with a distinguished name. This in
221 X.509 terminology is a list of strings each associated an object
222 identifier. To make things simple GnuTLS provides @funcref{gnutls_x509_crt_get_dn}
223 which follows the rules in @xcite{RFC4514} and returns a single
224 string. Access to each string by individual object identifiers
225 can be accessed using @funcref{gnutls_x509_crt_get_dn_by_oid}.
227 @showfuncdesc{gnutls_x509_crt_get_dn}
228 @showfuncdesc{gnutls_x509_crt_get_dn_by_oid}
229 @showfuncdesc{gnutls_x509_crt_get_dn_oid}
231 The more powerful @funcref{gnutls_x509_crt_get_subject} and
232 @funcref{gnutls_x509_dn_get_rdn_ava} provide efficient access
233 to the contents of the distinguished name structure.
235 @showfuncdesc{gnutls_x509_crt_get_subject}
236 @showfuncdesc{gnutls_x509_dn_get_rdn_ava}
238 Similar functions exist to access the distinguished name
239 of the issuer of the certificate.
241 @showfuncD{gnutls_x509_crt_get_issuer_dn,gnutls_x509_crt_get_issuer_dn_by_oid,gnutls_x509_crt_get_issuer_dn_oid,gnutls_x509_crt_get_issuer}
243 @node Verifying X.509 certificate paths
244 @subsection Verifying @acronym{X.509} certificate paths
245 @cindex verifying certificate paths
247 Verifying certificate paths is important in @acronym{X.509}
248 authentication. For this purpose the following functions are
251 @showfuncdesc{gnutls_x509_trust_list_add_cas}
252 @showfuncdesc{gnutls_x509_trust_list_add_named_crt}
253 @showfuncdesc{gnutls_x509_trust_list_add_crls}
254 @showfuncdesc{gnutls_x509_trust_list_verify_crt}
255 @showfuncdesc{gnutls_x509_trust_list_verify_named_crt}
257 @showfuncdesc{gnutls_x509_trust_list_add_trust_file}
258 @showfuncdesc{gnutls_x509_trust_list_add_trust_mem}
259 @showfuncdesc{gnutls_x509_trust_list_add_system_trust}
261 The verification function will verify a given certificate chain against a list of certificate
262 authorities and certificate revocation lists, and output
263 a bit-wise OR of elements of the @code{gnutls_@-certificate_@-status_t}
264 enumeration shown in @ref{gnutls_certificate_status_t}. The @code{GNUTLS_@-CERT_@-INVALID} flag
265 is always set on a verification error and more detailed flags will also be set when appropriate.
267 @showenumdesc{gnutls_certificate_status_t,The @code{gnutls_@-certificate_@-status_t} enumeration.}
269 An example of certificate verification is shown in @ref{ex:verify2}.
270 It is also possible to have a set of certificates that
271 are trusted for a particular server but not to authorize other certificates.
272 This purpose is served by the functions @funcref{gnutls_x509_trust_list_add_named_crt} and @funcref{gnutls_x509_trust_list_verify_named_crt}.
274 @node Verifying a certificate in the context of TLS session
275 @subsection Verifying a certificate in the context of TLS session
276 @cindex verifying certificate paths
277 @tindex gnutls_certificate_verify_flags
279 When operating in the context of a TLS session, the trusted certificate
280 authority list may also be set using:
281 @showfuncC{gnutls_certificate_set_x509_trust_file,gnutls_certificate_set_x509_crl_file,gnutls_certificate_set_x509_system_trust}
283 Then it is not required to setup a trusted list as above.
284 The function @funcref{gnutls_certificate_verify_peers2}
285 may then be used to verify the peer's certificate chain. The flags
286 are set similarly to the verification functions in the previous section.
288 There is also the possibility to pass some input to the verification
289 functions in the form of flags. For @funcref{gnutls_x509_trust_list_verify_crt} the
290 flags are passed straightforward, but
291 @funcref{gnutls_certificate_verify_peers2} depends on the flags set by
292 calling @funcref{gnutls_certificate_set_verify_flags}. All the available
293 flags are part of the enumeration
294 @code{gnutls_@-certificate_@-verify_@-flags} shown in @ref{gnutls_certificate_verify_flags}.
296 @showenumdesc{gnutls_certificate_verify_flags,The @code{gnutls_@-certificate_@-verify_@-flags} enumeration.}
298 Although the verification of a certificate path indicates that the
299 certificate is signed by trusted authority, does not reveal anything
300 about the peer's identity. It is required to verify if the
301 certificate's owner is the one you expect. For more information
302 consult @funcref{gnutls_x509_crt_check_hostname}, section @ref{ex:verify} for an example, and @xcite{RFC2818}.
305 @node OpenPGP certificates
306 @section @acronym{OpenPGP} certificates
307 @cindex OpenPGP certificates
309 The @acronym{OpenPGP} key authentication relies on a distributed trust
310 model, called the ``web of trust''. The ``web of trust'' uses a
311 decentralized system of trusted introducers, which are the same as a
312 CA. @acronym{OpenPGP} allows anyone to sign anyone else's public
313 key. When Alice signs Bob's key, she is introducing Bob's key to
314 anyone who trusts Alice. If someone trusts Alice to introduce keys,
315 then Alice is a trusted introducer in the mind of that observer.
316 For example in @ref{fig:openpgp}, David trusts Alice to be an introducer and Alice
317 signed Bob's key thus Dave trusts Bob's key to be the real one.
319 @float Figure,fig:openpgp
320 @image{gnutls-pgp,8cm}
321 @caption{An example of the OpenPGP trust model.}
324 There are some key points that are important in that model. In the
325 example Alice has to sign Bob's key, only if she is sure that the key
326 belongs to Bob. Otherwise she may also make Dave falsely believe that
327 this is Bob's key. Dave has also the responsibility to know who to
328 trust. This model is similar to real life relations.
330 Just see how Charlie behaves in the previous example. Although he has
331 signed Bob's key - because he knows, somehow, that it belongs to Bob -
332 he does not trust Bob to be an introducer. Charlie decided to trust
333 only Kevin, for some reason. A reason could be that Bob is lazy
334 enough, and signs other people's keys without being sure that they
335 belong to the actual owner.
337 @float Table,tab:openpgp-certificate
338 @multitable @columnfractions .2 .7
340 @headitem Field @tab Description
343 The field that indicates the version of the OpenPGP structure.
346 An RFC 2822 string that identifies the owner of the key. There may be
347 multiple user identifiers in a key.
349 @item public key @tab
350 The main public key of the certificate.
352 @item expiration @tab
353 The expiration time of the main public key.
355 @item public subkey @tab
356 An additional public key of the certificate. There may be multiple subkeys
359 @item public subkey expiration @tab
360 The expiration time of the subkey.
363 @caption{OpenPGP certificate fields.}
367 @subsection @acronym{OpenPGP} certificate structure
369 In @acronym{GnuTLS} the @acronym{OpenPGP} certificate structures
370 @xcite{RFC2440} are handled using the @code{gnutls_openpgp_crt_t} type.
371 A typical certificate contains the user ID, which is an RFC 2822
372 mail and name address, a public key, possibly a number of additional
373 public keys (called subkeys), and a number of signatures. The various
374 fields are shown in @ref{tab:openpgp-certificate}.
376 The additional subkeys may provide key for various different purposes,
377 e.g. one key to encrypt mail, and another to sign a TLS key exchange.
378 Each subkey is identified by a unique key ID.
379 The keys that are to be used in a TLS key exchange that requires
380 signatures are called authentication keys in the OpenPGP jargon.
381 The mapping of TLS key exchange methods to public keys is shown in
382 @ref{tab:openpgp-key-exchange}.
384 @float Table,tab:openpgp-key-exchange
385 @multitable @columnfractions .2 .7
387 @headitem Key exchange @tab Public key requirements
390 An RSA public key that allows encryption.
393 An RSA public key that is marked for authentication.
395 @item ECDHE_@-RSA @tab
396 An RSA public key that is marked for authentication.
399 A DSA public key that is marked for authentication.
402 @caption{The types of (sub)keys required for the various TLS key exchange methods.}
405 The corresponding private keys are stored in the
406 @code{gnutls_openpgp_privkey_t} type. All the prototypes for the key
407 handling functions can be found in @file{gnutls/openpgp.h}.
409 @subsection Verifying an @acronym{OpenPGP} certificate
411 The verification functions of @acronym{OpenPGP} keys, included in
412 @acronym{GnuTLS}, are simple ones, and do not use the features of the
413 ``web of trust''. For that reason, if the verification needs are
414 complex, the assistance of external tools like @acronym{GnuPG} and
415 GPGME@footnote{@url{http://www.gnupg.org/related_software/gpgme/}} is
418 In GnuTLS there is a verification function for OpenPGP certificates,
419 the @funcref{gnutls_openpgp_crt_verify_ring}. This checks an
420 @acronym{OpenPGP} key against a given set of public keys (keyring) and
421 returns the key status. The key verification status is the same as in
422 @acronym{X.509} certificates, although the meaning and interpretation
423 are different. For example an @acronym{OpenPGP} key may be valid, if
424 the self signature is ok, even if no signers were found. The meaning
425 of verification status flags is the same as in the @acronym{X.509} certificates
426 (see @ref{gnutls_certificate_verify_flags}).
428 @showfuncdesc{gnutls_openpgp_crt_verify_ring}
430 @showfuncdesc{gnutls_openpgp_crt_verify_self}
432 @subsection Verifying a certificate in the context of a TLS session
434 Similarly with X.509 certificates, one needs to specify
435 the OpenPGP keyring file in the credentials structure. The certificates
436 in this file will be used by @funcref{gnutls_certificate_verify_peers2}
437 to verify the signatures in the certificate sent by the peer.
439 @showfuncdesc{gnutls_certificate_set_openpgp_keyring_file}
441 @node Advanced certificate verification
442 @section Advanced certificate verification
443 @cindex Certificate verification
446 * Verifying a certificate using trust on first use authentication::
447 * Verifying a certificate using DANE (DNSSEC)::
450 @node Verifying a certificate using trust on first use authentication
451 @subsection Verifying a certificate using trust on first use authentication
452 @cindex verifying certificate paths
453 @cindex SSH-style authentication
454 @cindex Trust on first use
456 @tindex gnutls_certificate_verify_flags
458 It is possible to use a trust on first use (TOFU) authentication
459 method in GnuTLS. That is the concept used by the SSH programs, where the
460 public key of the peer is not verified, or verified in an out-of-bound way,
461 but subsequent connections to the same peer require the public key to
462 remain the same. Such a system in combination with the typical CA
463 verification of a certificate, and OCSP revocation checks,
464 can help to provide multiple factor verification, where a single point of
465 failure is not enough to compromise the system. For example a server compromise
466 may be detected using OCSP, and a CA compromise can be detected using
467 the trust on first use method.
468 Such a hybrid system with X.509 and trust on first use authentication is
469 shown in @ref{Simple client example with SSH-style certificate verification}.
471 @showfuncdesc{gnutls_verify_stored_pubkey}
472 @showfuncdesc{gnutls_store_pubkey}
474 In addition to the above the @funcref{gnutls_store_commitment} can be
475 used to implement a key-pinning architecture as in @xcite{KEYPIN}.
476 This provides a way for web server to commit on a public key that is
479 @showfuncdesc{gnutls_store_commitment}
481 The storage and verification functions may be used with the default
482 text file based back-end, or another back-end may be specified. That
483 should contain storage and retrieval functions and specified as below.
485 @showfuncE{gnutls_tdb_init,gnutls_tdb_deinit,gnutls_tdb_set_verify_func,gnutls_tdb_set_store_func,gnutls_tdb_set_store_commitment_func}
487 @node Verifying a certificate using DANE (DNSSEC)
488 @subsection Verifying a certificate using DANE (DNSSEC)
489 @cindex verifying certificate paths
492 @tindex gnutls_certificate_verify_flags
494 The DANE protocol is a protocol that can be used to verify TLS certificates
495 using the DNS (or better DNSSEC) protocols. The DNS security extensions (DNSSEC)
496 provide an alternative public key infrastructure to the commercial CAs that
497 are typically used to sign TLS certificates. The DANE protocol takes advantage
498 of the DNSSEC infrastructure to verify TLS certificates. This can be
499 in addition to the verification by commercial CA infrastructure or
500 could even replace it where DNSSEC is deployed.
502 The DANE functionality is provided by the @code{libgnutls-dane} library that is shipped
503 with GnuTLS and the function prototypes are in @code{gnutls/dane.h}.
505 @subsubheading Using the DANE library
506 Since the DANE library is not included in GnuTLS it requires programs
507 to be linked against it. This can be achieved with the following commands.
510 gcc -o foo foo.c `pkg-config gnutls-dane --cflags --libs`
513 When a program uses the GNU autoconf system, then the following
514 line or similar can be used to detect the presence of the library.
517 PKG_CHECK_MODULES([LIBDANE], [gnutls-dane >= 3.0.0])
519 AC_SUBST([LIBDANE_CFLAGS])
520 AC_SUBST([LIBDANE_LIBS])
523 @subsubheading DANE library functionality
525 The library provides high level verification functions which are shown below.
527 @showfuncdesc{dane_verify_crt}
529 @showfuncB{dane_verify_session_crt,dane_strerror}
531 Note that the @code{dane_state_t} structure that is accepted by both
532 verification functions is optional. It is required when many queries
533 are performed to facilitate caching.
534 The following flags are returned by the verify functions to
535 indicate the status of the verification.
537 @showenumdesc{dane_verify_status_t,The DANE verification status flags.}
539 In order to generate a DANE TLSA entry to use in a DNS server
540 you may use danetool (see @ref{danetool Invocation}).
542 @node Digital signatures
543 @section Digital signatures
544 @cindex digital signatures
546 In this section we will provide some information about digital
547 signatures, how they work, and give the rationale for disabling some
548 of the algorithms used.
550 Digital signatures work by using somebody's secret key to sign some
551 arbitrary data. Then anybody else could use the public key of that
552 person to verify the signature. Since the data may be arbitrary it is
553 not suitable input to a cryptographic digital signature algorithm. For
554 this reason and also for performance cryptographic hash algorithms are
555 used to preprocess the input to the signature algorithm. This works as
556 long as it is difficult enough to generate two different messages with
557 the same hash algorithm output. In that case the same signature could
558 be used as a proof for both messages. Nobody wants to sign an innocent
559 message of donating 1 euro to Greenpeace and find out that he
560 donated 1.000.000 euros to Bad Inc.
562 For a hash algorithm to be called cryptographic the following three
563 requirements must hold:
566 @item Preimage resistance.
567 That means the algorithm must be one way and given the output of the
568 hash function @math{H(x)}, it is impossible to calculate @math{x}.
570 @item 2nd preimage resistance.
571 That means that given a pair @math{x,y} with @math{y=H(x)} it is
572 impossible to calculate an @math{x'} such that @math{y=H(x')}.
574 @item Collision resistance.
575 That means that it is impossible to calculate random @math{x} and
576 @math{x'} such @math{H(x')=H(x)}.
579 The last two requirements in the list are the most important in
580 digital signatures. These protect against somebody who would like to
581 generate two messages with the same hash output. When an algorithm is
582 considered broken usually it means that the Collision resistance of
583 the algorithm is less than brute force. Using the birthday paradox the
584 brute force attack takes
586 @math{2^{(\rm{hash\ size}) / 2}}
589 @math{2^{((hash size) / 2)}}
591 operations. Today colliding certificates using the MD5 hash algorithm
592 have been generated as shown in @xcite{WEGER}.
594 There has been cryptographic results for the SHA-1 hash algorithms as
595 well, although they are not yet critical. Before 2004, MD5 had a
596 presumed collision strength of @math{2^{64}}, but it has been showed
597 to have a collision strength well under @math{2^{50}}. As of November
598 2005, it is believed that SHA-1's collision strength is around
599 @math{2^{63}}. We consider this sufficiently hard so that we still
600 support SHA-1. We anticipate that SHA-256/386/512 will be used in
601 publicly-distributed certificates in the future. When @math{2^{63}}
602 can be considered too weak compared to the computer power available
603 sometime in the future, SHA-1 will be disabled as well. The collision
604 attacks on SHA-1 may also get better, given the new interest in tools
607 @subsection Trading security for interoperability
609 If you connect to a server and use GnuTLS' functions to verify the
610 certificate chain, and get a @code{GNUTLS_CERT_INSECURE_ALGORITHM}
611 validation error (see @ref{Verifying X.509 certificate paths}), it means
612 that somewhere in the certificate chain there is a certificate signed
613 using @code{RSA-MD2} or @code{RSA-MD5}. These two digital signature
614 algorithms are considered broken, so GnuTLS fails verifying
615 the certificate. In some situations, it may be useful to be
616 able to verify the certificate chain anyway, assuming an attacker did
617 not utilize the fact that these signatures algorithms are broken.
618 This section will give help on how to achieve that.
620 It is important to know that you do not have to enable any of
621 the flags discussed here to be able to use trusted root CA
622 certificates self-signed using @code{RSA-MD2} or @code{RSA-MD5}. The
623 certificates in the trusted list are considered trusted irrespective
626 If you are using @funcref{gnutls_certificate_verify_peers2} to verify the
627 certificate chain, you can call
628 @funcref{gnutls_certificate_update_verify_flags} or
629 @funcref{gnutls_certificate_set_verify_flags} with the flags:
631 @item @code{GNUTLS_VERIFY_ALLOW_SIGN_RSA_MD2}
632 @item @code{GNUTLS_VERIFY_ALLOW_SIGN_RSA_MD5}
634 as in the following example:
637 gnutls_certificate_update_verify_flags (x509cred,
638 GNUTLS_VERIFY_ALLOW_SIGN_RSA_MD5);
641 This will signal the verifier algorithm to enable @code{RSA-MD5} when
642 verifying the certificates.
644 If you are using @funcref{gnutls_x509_crt_verify} or
645 @funcref{gnutls_x509_crt_list_verify}, you can pass the
646 @code{GNUTLS_VERIFY_ALLOW_SIGN_RSA_MD5} parameter directly in the
647 @code{flags} parameter.
649 If you are using these flags, it may also be a good idea to warn the
650 user when verification failure occur for this reason. The simplest is
651 to not use the flags by default, and only fall back to using them
652 after warning the user. If you wish to inspect the certificate chain
653 yourself, you can use @funcref{gnutls_certificate_get_peers} to extract
654 the raw server's certificate chain, @funcref{gnutls_x509_crt_list_import} to parse each of the certificates, and
655 then @funcref{gnutls_x509_crt_get_signature_algorithm} to find out the
656 signing algorithm used for each certificate. If any of the
657 intermediary certificates are using @code{GNUTLS_SIGN_RSA_MD2} or
658 @code{GNUTLS_SIGN_RSA_MD5}, you could present a warning.