[Help-gnutls] Checking hostname against certificate
nmav at gnutls.org
Mon Jan 28 09:13:08 CET 2002
On Sun, 27 Jan 2002 21:22:37 +0000 Andrew McDonald <andrew at mcdonald.org.uk> wrote:
> I'm currently making some improvements to my mutt/gnutls patches. One
> of the things today was to get mutt to check the name of the host it
> thinks it has connected to against the certificate presented by the
> My procedure is:
> 1) try to get name from gnutls_x509pki_extract_subject_dns_name
> 2) if that doesn't work, get common_name from cert
> 3) compare against hostname used (taking into account wildcard
> hostnames in the certificate, e.g. "*.mcdonald.org.uk")
This is right.
> (Actually, might something along these lines be useful to put into
> libgnutls itself?)
Well X.509 is a REALLY bloated protocol. There are a lot of things that
we should handle. An X.509 certificate may even contain videos, photographs
and anything that can get an OID. For gnutls I intend to add only basic
functionality required to work. (Hopefully there is aegypten, but I don't
know how far it can go yet.)
> gnutls_x509pki_extract_subject_dns_name doesn't seem to be working.
> As far as I understand it, this should extract a DNS name from a
> Subject Alternative Name X.509v3 extension (as described in RFC2549,
> section 220.127.116.11).
This function was never tested.. Please, send me the certificate that
contains the dnsname, email extensions, so I can give it a test (and a fix).
> 18.104.22.168 is the OID for an AltName extension. How does
> _gnutls_get_extension know you want the dNSName?
it does not :)
> (extract_subject_dns_name doesn't seem to do any further processing on
> it). And why can't it find the extension anyway?
> (Also, what would happen if there were multiple dNSNames in there?)
This is tricky to handle. I'll see what I can do.
> Andrew McDonald
> E-mail: andrew at mcdonald.org.uk
mailto:nmav at hellug.gr
More information about the Gnutls-help