[glib/mcatanzaro/#2646: 32/32] Deprecate GDtlsClientConnection validation flags



commit 2150d0b998ea0ff334495d3c66b672934582a01f
Author: Michael Catanzaro <mcatanzaro redhat com>
Date:   Tue May 10 13:34:10 2022 -0500

    Deprecate GDtlsClientConnection validation flags
    
    See !2214 for motivation. It doesn't work properly anymore, and the TLS
    versions of these functions were already deprecated. Sadly, I missed the
    DTLS versions.
    
    Fixes #2646

 gio/gdtlsclientconnection.c | 26 ++++++++++++++++++++++++++
 1 file changed, 26 insertions(+)
---
diff --git a/gio/gdtlsclientconnection.c b/gio/gdtlsclientconnection.c
index bdbf890fe9..a0ed3d2430 100644
--- a/gio/gdtlsclientconnection.c
+++ b/gio/gdtlsclientconnection.c
@@ -63,7 +63,21 @@ g_dtls_client_connection_default_init (GDtlsClientConnectionInterface *iface)
    * ways indicated here will be rejected unless the application
    * overrides the default via #GDtlsConnection::accept-certificate.
    *
+   * GLib guarantees that if certificate verification fails, at least one
+   * flag will be set, but it does not guarantee that all possible flags
+   * will be set. Accordingly, you may not safely decide to ignore any
+   * particular type of error. For example, it would be incorrect to mask
+   * %G_TLS_CERTIFICATE_EXPIRED if you want to allow expired certificates,
+   * because this could potentially be the only error flag set even if
+   * other problems exist with the certificate. Therefore, there is no
+   * safe way to use this property. This is not a horrible problem,
+   * though, because you should not be attempting to ignore validation
+   * errors anyway. If you really must ignore TLS certificate errors,
+   * connect to #GDtlsConnection::accept-certificate.
+   *
    * Since: 2.48
+   *
+   * Deprecated: 2.74: Do not attempt to ignore validation errors.
    */
   g_object_interface_install_property (iface,
                                        g_param_spec_flags ("validation-flags",
@@ -162,9 +176,15 @@ g_dtls_client_connection_new (GDatagramBased      *base_socket,
  *
  * Gets @conn's validation flags
  *
+ * This function does not work as originally designed and is impossible
+ * to use correctly. See #GDtlsClientConnection:validation-flags for more
+ * information.
+ *
  * Returns: the validation flags
  *
  * Since: 2.48
+ *
+ * Deprecated: 2.74: Do not attempt to ignore validation errors.
  */
 GTlsCertificateFlags
 g_dtls_client_connection_get_validation_flags (GDtlsClientConnection *conn)
@@ -186,7 +206,13 @@ g_dtls_client_connection_get_validation_flags (GDtlsClientConnection *conn)
  * checks performed when validating a server certificate. By default,
  * %G_TLS_CERTIFICATE_VALIDATE_ALL is used.
  *
+ * This function does not work as originally designed and is impossible
+ * to use correctly. See #GDtlsClientConnection:validation-flags for more
+ * information.
+ *
  * Since: 2.48
+ *
+ * Deprecated: 2.74: Do not attempt to ignore validation errors.
  */
 void
 g_dtls_client_connection_set_validation_flags (GDtlsClientConnection  *conn,


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]