[Help-gnutls] Checking hostname against certificate

[Nikos Mavroyanopoulos]

On Sun, 27 Jan 2002 21:22:37 +0000 Andrew McDonald <andrew at mcdonald.org.uk> wrote:

Hello Andrew,

> I'm currently making some improvements to my mutt/gnutls patches. One
> of the things today was to get mutt to check the name of the host it
> thinks it has connected to against the certificate presented by the
> server.
> My procedure is:
> 1) try to get name from gnutls_x509pki_extract_subject_dns_name
> 2) if that doesn't work, get common_name from cert
> 3) compare against hostname used (taking into account wildcard
> hostnames in the certificate, e.g. "*.mcdonald.org.uk")
This is right.

> (Actually, might something along these lines be useful to put into
> libgnutls itself?)
Well X.509 is a REALLY bloated protocol. There are a lot of things that
we should handle. An X.509 certificate may even contain videos, photographs 
and anything that can get an OID. For gnutls I intend to add only basic 
functionality required to work. (Hopefully there is aegypten, but I don't
know how far it can go yet.)

> gnutls_x509pki_extract_subject_dns_name doesn't seem to be working.
> As far as I understand it, this should extract a DNS name from a
> Subject Alternative Name X.509v3 extension (as described in RFC2549,
> section 4.2.1.7).
This function was never tested.. Please, send me the certificate that
contains the dnsname, email extensions, so I can give it a test (and a fix).

> 2.5.29.17 is the OID for an AltName extension. How does
> _gnutls_get_extension know you want the dNSName?
it does not :)

> (extract_subject_dns_name doesn't seem to do any further processing on
> it). And why can't it find the extension anyway?
> (Also, what would happen if there were multiple dNSNames in there?)
This is tricky to handle. I'll see what I can do.

> Andrew
> -- 
> Andrew McDonald
> E-mail: andrew at mcdonald.org.uk
> http://www.mcdonald.org.uk/andrew/

-- 
Nikos Mavroyanopoulos
mailto:nmav at hellug.gr