gnutls_server_name_set and IDN

Simon Josefsson simon at josefsson.org
Wed Sep 23 17:59:05 CEST 2009


Daniel Black <daniel at cacert.org> writes:

>> What the new text means is that GnuTLS applications are responsible for
>> converting any internationalized domain name into ACE before passing the
>> string on to GnuTLS.
>
> Ok. Some really clear text in the documentation about this would be
> good.

Improved now, thanks, see:

http://git.savannah.gnu.org/cgit/gnutls.git/commit/?id=17edc60deccccfd93a1290e27f8643b68a6c2dda

> As the UTF-8/ ASCII error may be common is it beneficial to validate
> this input to check for >7F characters?

Hm, yes, maybe -- although it would prevents usage against some server
that for some reason used a non-ASCII string there.  RFC 4366 can be
read to say that non-ASCII strings are OK, and not being able to interop
against such a server just because of a input sanitation code seems
overkill.  But it is a tradeoff and I don't feel strongly about it.

>> Let me know what you think of this, there is still time to bring this up
>> in the IETF.
>
> Its clarify also simplifies it to the point that their is no mention
> of IDNA as an appropriate mechanism to convert encodings to ASCII. Was
> this intentional?

Yes I think/hope so -- not mentioning IDNA specifically avoids
inheriting the problems associated with it: support of non-ASCII
hostnames then becomes entirely the IDNA specifications' problem.

> I'm of the opinion, until abused otherwise, that appending "UTF-8 and
> other character sets can be converted to ASCII using the ToASCII
> function defined in RFC3490 section 4." (or similar) to the "HostName"
> definition paragraph.

IDNAbis is in WGLC now, so any such reference would be obsolete soon.
Given that IDNAbis is completely different (both in design and
implementation) compared to RFC 3490 I think a specific reference would
only confuse more than it would help.  Then implementers will ask
whether the intention is that TLS SNI is only to be used with IDNA and
not IDNAbis.

> also maybe 6.1. could say, in response to the last bit of 3.1, + "Server 
> applications SHOULD validate server_name against any application layer 
> equivalent field."

That makes sense to me.  I'll forward that to the TLS list.

/Simon





More information about the Gnutls-devel mailing list