[Help-gnutls] Checking hostname against certificate

Andrew McDonald andrew at mcdonald.org.uk
Sun Jan 27 22:22:37 CET 2002

I'm currently making some improvements to my mutt/gnutls patches. One
of the things today was to get mutt to check the name of the host it
thinks it has connected to against the certificate presented by the

My procedure is:
1) try to get name from gnutls_x509pki_extract_subject_dns_name
2) if that doesn't work, get common_name from cert
3) compare against hostname used (taking into account wildcard
hostnames in the certificate, e.g. "*.mcdonald.org.uk")

(Actually, might something along these lines be useful to put into
libgnutls itself?)

gnutls_x509pki_extract_subject_dns_name doesn't seem to be working.
As far as I understand it, this should extract a DNS name from a
Subject Alternative Name X.509v3 extension (as described in RFC2549,

For this I created a certificate with openssl, and I see the
appropriate extension:
        X509v3 extensions:
            Netscape Cert Type:
                SSL Server
            X509v3 Subject Alternative Name:
                email:root at mcdonald.org.uk, DNS:wompom.mcdonald.org.uk

extract_subject_dns_name returns 56

Looking at the code for the gnutls function, I see:
        if ((result =
             _gnutls_get_extension(cert, "2 5 29 17", &dnsname)) < 0) {
                return result;
        } is the OID for an AltName extension. How does
_gnutls_get_extension know you want the dNSName?
(extract_subject_dns_name doesn't seem to do any further processing on
it). And why can't it find the extension anyway?
(Also, what would happen if there were multiple dNSNames in there?)

Any ideas or hints?

(I can supply the certificate or conf file used to generate the
certificate if it helps).

Many thanks,

Andrew McDonald
E-mail: andrew at mcdonald.org.uk

More information about the Gnutls-help mailing list