[Help-gnutls] Re: X.509 authentication and `GNUTLS_CERT_REQUIRE'

Simon Josefsson simon at josefsson.org
Mon May 14 11:01:13 CEST 2007

ludo at chbouib.org (Ludovic Courtès) writes:

>> I don't know whether it is OK for a client to send a X.509 client cert
>> that doesn't match one of the authorities sent by the server.  Maybe
>> that should be possible?
> Sections 7.4.4 and 7.4.6 of RFC 4346 do not mention it explicitly, but
> they seem to imply that a "suitable" certificate is one that matches
> the "known roots and [...] desired authorization space" specified in the
> `certificate_authorities' field of the certificate request.

I just noticed that GnuTLS allows sending a user-selected certificate
via the certificate callback interface -- I authenticated using my eID
smart card against test.gnutls.org, and it certainly doesn't have the
eID CA cert installed.

I think this sounds like a good situation.  The application can provide
many user credentials, and GnuTLS will pick one of them that matches the
CA information sent from the server.  It won't pick one of them if none
of them matches the CA information.  If the application wants to decide
for itself which certificate to send, and possibly send one that doesn't
match any CA sent by the server, it has to use the callback interface.


More information about the Gnutls-help mailing list