x509 certificate verify

Nikos Mavroyanopoulos nmav at ovrimos.com
Wed Aug 1 10:46:01 CEST 2001


 While implementing the verification function for x509 certificates, I came
to the following: How should the caller verify the peer's Common Name (which in
case of http servers is the dns name of the server).

 One approach (and currently implemented) was to provide a function (currently gnutls_set_X509_cn()), 
which will set a string that will be compared against the peer's CN, within the verification function.
If this does not match returns E_WRONG_CN.
 The other approach is to do nothing (only verify the certificate path), and let the caller
do the checks with CN etc.

I've implemented the first but in case of client authentication the server may not only need 
to check the peer's CN but also some fields like O, OU, or even some of the issuer's fields.
Thus I'm thinking to move to the second approach, instead of providing a complex function, that
will do the necessary comparisons. What do you think?

Nikos Mavroyanopoulos

More information about the Gnutls-devel mailing list