[Help-gnutls] Re: IDN and TLS certificates

Simon Josefsson jas at extundo.com
Fri Mar 17 12:25:38 CET 2006

Martin Lambers <marlam at marlam.de> writes:

> Hi!
> I'm not sure how to handle Internationalized Domain Names when verifying
> TLS certificates.
> As I understand, a TLS certificate for räksmörgås.josefßon.example
> should contain the value "xn--rksmrgs-5wao1o.josefsson.example" in a
> subjectAltName field of type DNS, therefore an application should first
> translate "räksmörgås.josefßon.example" to
> "xn--rksmrgs-5wao1o.josefsson.example" before calling
> gnutls_x509_crt_check_hostname(). Is this correct?

Yes.  subjectAltName is a IDN-unaware domain name slot, so it should
contain encoded IDNs, and the hostname parameter to
gnutls_x509_crt_check_hostname is also a IDN-unaware domain name slot.

I'm not sure there is much point in making GnuTLS handle IDN before
PKIX/TLS is IDN-aware.

The ServerName extension in TLS 1.1 is IDN-aware though, and maybe
there is some place for better IDN-handling in GnuTLS there, but I
can't think of any specific improvement.


More information about the Gnutls-help mailing list