Couple of questions regarding CommonName and peer verification
org.gnu.help-gnutls at coreland.ath.cx
org.gnu.help-gnutls at coreland.ath.cx
Mon Aug 23 20:28:33 CEST 2010
'Lo.
I'm working on a small server program (the actual details of which
aren't important).
I want to use certificates and TLS to provide strong authentication
but two questions still remain:
1. Users have accounts on the server. A user may have many
certificates registered to his account (and may log in using
any of them). I want the user's username to appear in each
certificate and the proper place for this appears to be in
the CommonName field. The problem: Unless I'm mistaken, this
field seems to be assumed to contain a hostname which is then
checked and results in a warning if it doesn't match the
expected value (which of course, it never will). Is there
a better place to put an application-specific username in
certificates?
2. I want to only allow connections from peers the server
has certificates for - a whitelist. What's the simplest
way to implement this? At the moment, I can only seem to
get GnuTLS to verify peers with the CA (which it needs to
do anyway, but I want to add this additional restriction).
As for the second question, I suppose I could create a server-specific
CA, issue certificates to all clients and then only check connecting
client certs against that CA (effectively creating a whitelist).
Perhaps there's a better way, though?
More information about the Gnutls-help
mailing list