Couple of questions regarding CommonName and peer verification
lfinsto at gwdg.de
lfinsto at gwdg.de
Wed Aug 25 12:33:55 CEST 2010
On Mon, August 23, 2010 8:28 pm, org.gnu.help-gnutls at coreland.ath.cx wrote:
> I'm working on a small server program (the actual details of which
> I want to use certificates and TLS to provide strong authentication but
two questions still remain:
> 1. Users have accounts on the server. A user may have many
> certificates registered to his account (and may log in using
> any of them). I want the user's username to appear in each
> certificate and the proper place for this appears to be in
> the CommonName field. The problem: Unless I'm mistaken, this
> field seems to be assumed to contain a hostname which is then checked
and results in a warning if it doesn't match the
> expected value (which of course, it never will). Is there
> a better place to put an application-specific username in
I have the same problem. My solution is to not call
`gnutls_x509_crt_check_hostname' when verifying the client certificate. I
have a certificate from a "real" CA, i.e., one issued by a research
institution, and the CommonName field contains my name and nothing else.
It is not intended that it should be bound to any particular machine,
server, domain, or similar entity. I think it's reasonable for a person
to be able to use a single certificate from various computers. However,
I'm still finding my way with respect to X.509 certificates, so perhaps
there's a better solution. At any rate, this certificate, which I must
use on the client-side, would seem to be incompatible with the use
`gnutls_x509_crt_check_hostname' by the server.
> 2. I want to only allow connections from peers the server
> has certificates for - a whitelist. What's the simplest
> way to implement this? At the moment, I can only seem to
> get GnuTLS to verify peers with the CA (which it needs to
> do anyway, but I want to add this additional restriction).
I think the best place to do this would be following the call to `accept'
on the server side. The following (C++) code fragment shows how to get
the IP address (and port) of the client that has just initiated a
int listen_sd, sd;
struct sockaddr_in sa_cli;
sd = accept (listen_sd, (SA *) & sa_cli, (socklen_t*) &client_len);
temp_strm << thread_ctr_str << "In `listen_auth': Connection from "
<< inet_ntop (AF_INET,
topbuf, sizeof (topbuf))
<< ", port " << ntohs (sa_cli.sin_port)
I think it should be easy to check it against a list of IP-addresses and
break off the connection if it's not in the list.
> As for the second question, I suppose I could create a server-specific
CA, issue certificates to all clients and then only check connecting
client certs against that CA (effectively creating a whitelist).
I think this would only be useful for testing purposes and wouldn't work
for "real" CA certificates issued by "trusted" organizations.
Gesellschaft fuer wissenschaftliche Datenverarbeitung mbH
Am Fassberg 11
Telefon: +49 551 201-1882
E-Mail: lfinsto at gwdg.de
More information about the Gnutls-help