x509 certificate verify
nmav at ovrimos.com
Wed Aug 1 10:46:01 CEST 2001
While implementing the verification function for x509 certificates, I came
to the following: How should the caller verify the peer's Common Name (which in
case of http servers is the dns name of the server).
One approach (and currently implemented) was to provide a function (currently gnutls_set_X509_cn()),
which will set a string that will be compared against the peer's CN, within the verification function.
If this does not match returns E_WRONG_CN.
The other approach is to do nothing (only verify the certificate path), and let the caller
do the checks with CN etc.
I've implemented the first but in case of client authentication the server may not only need
to check the peer's CN but also some fields like O, OU, or even some of the issuer's fields.
Thus I'm thinking to move to the second approach, instead of providing a complex function, that
will do the necessary comparisons. What do you think?
More information about the Gnutls-devel