Couple of questions regarding CommonName and peer verification at at
Mon Aug 23 20:28:33 CEST 2010


I'm working on a small server program (the actual details of which
aren't important).

I want to use certificates and TLS to provide strong authentication
but two questions still remain:

1. Users have accounts on the server. A user may have many
   certificates registered to his account (and may log in using
   any of them). I want the user's username to appear in each
   certificate and the proper place for this appears to be in
   the CommonName field. The problem: Unless I'm mistaken, this
   field seems to be assumed to contain a hostname which is then
   checked and results in a warning if it doesn't match the
   expected value (which of course, it never will). Is there
   a better place to put an application-specific username in

2. I want to only allow connections from peers the server
   has certificates for - a whitelist. What's the simplest
   way to implement this? At the moment, I can only seem to
   get GnuTLS to verify peers with the CA (which it needs to
   do anyway, but I want to add this additional restriction).

As for the second question, I suppose I could create a server-specific
CA, issue certificates to all clients and then only check connecting
client certs against that CA (effectively creating a whitelist).

Perhaps there's a better way, though?

More information about the Gnutls-help mailing list