Clarify documentation for directly-trusted certs The fact that self-signed end-entity certs can be explicitly trusted by putting them in the CA list even if they don't have the CA bit was not documented though it's intentional, and tested by "Certificate verification #73 (selfsigned trusted without CA bit)" in test_suite_x509parse.data It is unclear to me whether the restriction that explicitly trusted end-entity certs must be self-signed is a good one. However, it seems intentional as it is tested in tests #42 and #43, so I'm not touching it for now.

commit: ab7796faf3e8a794f8e4fe8060a9280a785e400f [log] [tgz]
author: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com> Wed Jun 21 09:35:44 2017 +0200
committer: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com> Mon Mar 05 13:43:43 2018 +0100
tree: d890616da84a2511c9c7d56b0053d81eafb32961
parent: ac92a484314d7b43ce1b20419594cebca2106914 [diff] [blame]
diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h
index 12a98eb..ccc96a5 100644
--- a/include/mbedtls/ssl.h
+++ b/include/mbedtls/ssl.h

@@ -1382,6 +1382,10 @@
 /**
  * \brief          Set the data required to verify peer certificate
  *
+ * \note           See \c mbedtls_x509_verify() for notes regarding the
+ *                 parameters ca_chain (maps to trust_ca for that function)
+ *                 and ca_crl.
+ *
  * \param conf     SSL configuration
  * \param ca_chain trusted CA chain (meaning all fully trusted top-level CAs)
  * \param ca_crl   trusted CA CRLs
commit	ab7796faf3e8a794f8e4fe8060a9280a785e400f	[log] [tgz]
author	Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>	Wed Jun 21 09:35:44 2017 +0200
committer	Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>	Mon Mar 05 13:43:43 2018 +0100
tree	d890616da84a2511c9c7d56b0053d81eafb32961
parent	ac92a484314d7b43ce1b20419594cebca2106914 [diff] [blame]