g_tls_certificate_verify() does not detect expired certificate without a CA
The documentation of this function sounds like it should be able to detect some aspects of bad certificates even without specifying a trusted_ca; in particular: G_TLS_CERTIFICATE_NOT_ACTIVATED
, G_TLS_CERTIFICATE_EXPIRED
, or G_TLS_CERTIFICATE_INSECURE
.
But that's not the case. A simple reproducer glib-networking-tls-verify.c on a expired certificate returns 0, i.e. "no errors":
gcc -g -O0 -Wall `pkg-config --cflags --libs gio-2.0` glib-networking-tls-verify.c
curl -O https://raw.githubusercontent.com/cockpit-project/cockpit/master/src/tls/ca/alice-expired.pem
./a.out alice-expired.pem
This says
g_tls_certificate_verify == 0
but it should return the code for G_TLS_CERTIFICATE_EXPIRED
.
glib2-2.64.3-2.fc32.x86_64 with no special configuration, i. e. I assume that's using the GnuTLS backend.