Deprecate GDtlsClientConnection validation flags

See !2214 for motivation. It doesn't work properly anymore, and the TLS versions of these functions were already deprecated. Sadly, I missed the DTLS versions. Fixes #2646
2024-11-09 19:06:15 +01:00 · 2022-05-10 13:34:10 -05:00 · 2022-05-10 13:34:10 -05:00 · e27ef839d9
commit e27ef839d9
parent 848d7718b6
1 changed files with 26 additions and 0 deletions
--- a/gio/gdtlsclientconnection.c
+++ b/gio/gdtlsclientconnection.c
@ -63,7 +63,21 @@ g_dtls_client_connection_default_init (GDtlsClientConnectionInterface *iface)
   * ways indicated here will be rejected unless the application
   * overrides the default via #GDtlsConnection::accept-certificate.
   *
+   * GLib guarantees that if certificate verification fails, at least one
+   * flag will be set, but it does not guarantee that all possible flags
+   * will be set. Accordingly, you may not safely decide to ignore any
+   * particular type of error. For example, it would be incorrect to mask
+   * %G_TLS_CERTIFICATE_EXPIRED if you want to allow expired certificates,
+   * because this could potentially be the only error flag set even if
+   * other problems exist with the certificate. Therefore, there is no
+   * safe way to use this property. This is not a horrible problem,
+   * though, because you should not be attempting to ignore validation
+   * errors anyway. If you really must ignore TLS certificate errors,
+   * connect to #GDtlsConnection::accept-certificate.
+   *
   * Since: 2.48
+   *
+   * Deprecated: 2.74: Do not attempt to ignore validation errors.
   */
  g_object_interface_install_property (iface,
                                       g_param_spec_flags ("validation-flags",
@ -162,9 +176,15 @@ g_dtls_client_connection_new (GDatagramBased      *base_socket,
 *
 * Gets @conn's validation flags
 *
+ * This function does not work as originally designed and is impossible
+ * to use correctly. See #GDtlsClientConnection:validation-flags for more
+ * information.
+ *
 * Returns: the validation flags
 *
 * Since: 2.48
+ *
+ * Deprecated: 2.74: Do not attempt to ignore validation errors.
 */
 GTlsCertificateFlags
 g_dtls_client_connection_get_validation_flags (GDtlsClientConnection *conn)
@ -186,7 +206,13 @@ g_dtls_client_connection_get_validation_flags (GDtlsClientConnection *conn)
 * checks performed when validating a server certificate. By default,
 * %G_TLS_CERTIFICATE_VALIDATE_ALL is used.
 *
+ * This function does not work as originally designed and is impossible
+ * to use correctly. See #GDtlsClientConnection:validation-flags for more
+ * information.
+ *
 * Since: 2.48
+ *
+ * Deprecated: 2.74: Do not attempt to ignore validation errors.
 */
 void
 g_dtls_client_connection_set_validation_flags (GDtlsClientConnection  *conn,