On Sat, Nov 16 2013, Vincent Bernat wrote:

> By default, I would see that all checks are enabled by default: the
> certificate has not expired, the hostname matches and the certificate is
> signed by a known authority (certificates in `gnutls-trustfiles`).

+1

> When something goes wrong, we get a buffer with the certificate in
> "clear text" (like openssl x509 -in ... -noout -text). If needed, this
> is something that I can dig and provide C code for GNU TLS. This output
> contains the certificate fingerprint.
>
> A user has the possibility to whitelist the fingerprint and bypass any
> test. We should have both `gnutls-whitelist-certificates` variable and
> an option to override this whitelist when using gnutls-negotiate. The
> rationale is that we can't expect all gnutls-negotiate users to
> implement whitelisting.
>
> I think that whitelisting by fingerprint is an improvement over what is
> currently done by browsers which whitelist a whole domain without
> pinning the certificate.
>
> In the same way as for whitelisting, default verification options should
> be a variable with possibility to override it by using the appropriate
> option of `gnutls-negotiate`.
>
> Verification options could be:
>
>  - `expired-certificate`
>  - `revoked-certificate`
>  - `untrusted-certificate`
>  - `hostname-mismatch`

I think this is a really good idea and I'm waiting for that for a long
time. Since I don't have time to do this myself currently, consider this
message as a strong support. \o/

I'd be happy to help and test as far as I can.

-- 
Julien Danjou
-- Free Software hacker - independent consultant
-- http://julien.danjou.info