[gnutls-devel] Mandatory to honor DN in server certificate requests?

Martin Storsjö martin at martin.st
Thu Apr 28 08:26:12 CEST 2016


On Thu, 28 Apr 2016, Nikos Mavrogiannopoulos wrote:

> On Wed, Apr 27, 2016 at 10:41 AM, Martin Storsjö <martin at martin.st> wrote:
>
> It is not the TLS protocol which will specify that behavior but rather
> the application protocol. gnutls takes the conservative approach and
> does not reveal the ID of the client if it doesn't match the expected
> ID from the server. That way if you mistakenly specified your
> certificate from site A your ID will not be revealed just because site
> B asked of a certificate as well.

Ok, that sounds sensible.

>> Is firefox at fault here (sending unrelated CAs as part of this handshake -
>> e.g. chrome doesn't send any such), or does gnutls need an option for
>> intentionally ignoring the requested CAs and sending whatever certificate is
>> provided, letting the server decide whether it is acceptable?
>
> If the server would accept a certificate not signed by anyone in his
> accepted list, why not send an empty list instead?

Fair enough - I guess it sounds like I should file a bug with firefox 
then.

> If there is a common use-case or scenario that the current behavior 
> don't handle we may want to provision for it somehow.
>
> Said that, note that this behavior is only with the "automatic"
> handling of client certificates. If you want to force the client
> sending a certificate you can utilize the callbacks instead.

Ah, thanks for the hint! That's probably the best solution for me 
meanwhile.

// Martin


More information about the Gnutls-devel mailing list