[glib/mcatanzaro/#2646: 32/32] Deprecate GDtlsClientConnection validation flags
- From: Philip Withnall <pwithnall src gnome org>
- To: commits-list gnome org
- Cc:
- Subject: [glib/mcatanzaro/#2646: 32/32] Deprecate GDtlsClientConnection validation flags
- Date: Mon, 16 May 2022 12:44:54 +0000 (UTC)
commit 2150d0b998ea0ff334495d3c66b672934582a01f
Author: Michael Catanzaro <mcatanzaro redhat com>
Date: Tue May 10 13:34:10 2022 -0500
Deprecate GDtlsClientConnection validation flags
See !2214 for motivation. It doesn't work properly anymore, and the TLS
versions of these functions were already deprecated. Sadly, I missed the
DTLS versions.
Fixes #2646
gio/gdtlsclientconnection.c | 26 ++++++++++++++++++++++++++
1 file changed, 26 insertions(+)
---
diff --git a/gio/gdtlsclientconnection.c b/gio/gdtlsclientconnection.c
index bdbf890fe9..a0ed3d2430 100644
--- a/gio/gdtlsclientconnection.c
+++ b/gio/gdtlsclientconnection.c
@@ -63,7 +63,21 @@ g_dtls_client_connection_default_init (GDtlsClientConnectionInterface *iface)
* ways indicated here will be rejected unless the application
* overrides the default via #GDtlsConnection::accept-certificate.
*
+ * GLib guarantees that if certificate verification fails, at least one
+ * flag will be set, but it does not guarantee that all possible flags
+ * will be set. Accordingly, you may not safely decide to ignore any
+ * particular type of error. For example, it would be incorrect to mask
+ * %G_TLS_CERTIFICATE_EXPIRED if you want to allow expired certificates,
+ * because this could potentially be the only error flag set even if
+ * other problems exist with the certificate. Therefore, there is no
+ * safe way to use this property. This is not a horrible problem,
+ * though, because you should not be attempting to ignore validation
+ * errors anyway. If you really must ignore TLS certificate errors,
+ * connect to #GDtlsConnection::accept-certificate.
+ *
* Since: 2.48
+ *
+ * Deprecated: 2.74: Do not attempt to ignore validation errors.
*/
g_object_interface_install_property (iface,
g_param_spec_flags ("validation-flags",
@@ -162,9 +176,15 @@ g_dtls_client_connection_new (GDatagramBased *base_socket,
*
* Gets @conn's validation flags
*
+ * This function does not work as originally designed and is impossible
+ * to use correctly. See #GDtlsClientConnection:validation-flags for more
+ * information.
+ *
* Returns: the validation flags
*
* Since: 2.48
+ *
+ * Deprecated: 2.74: Do not attempt to ignore validation errors.
*/
GTlsCertificateFlags
g_dtls_client_connection_get_validation_flags (GDtlsClientConnection *conn)
@@ -186,7 +206,13 @@ g_dtls_client_connection_get_validation_flags (GDtlsClientConnection *conn)
* checks performed when validating a server certificate. By default,
* %G_TLS_CERTIFICATE_VALIDATE_ALL is used.
*
+ * This function does not work as originally designed and is impossible
+ * to use correctly. See #GDtlsClientConnection:validation-flags for more
+ * information.
+ *
* Since: 2.48
+ *
+ * Deprecated: 2.74: Do not attempt to ignore validation errors.
*/
void
g_dtls_client_connection_set_validation_flags (GDtlsClientConnection *conn,
[
Date Prev][
Date Next] [
Thread Prev][
Thread Next]
[
Thread Index]
[
Date Index]
[
Author Index]