Couple of questions regarding CommonName and peer verification

lfinsto at lfinsto at
Wed Aug 25 12:33:55 CEST 2010

On Mon, August 23, 2010 8:28 pm, at wrote:
> 'Lo.
> I'm working on a small server program (the actual details of which
aren't important).
> I want to use certificates and TLS to provide strong authentication but
two questions still remain:
> 1. Users have accounts on the server. A user may have many
>    certificates registered to his account (and may log in using
>    any of them). I want the user's username to appear in each
>    certificate and the proper place for this appears to be in
>    the CommonName field. The problem: Unless I'm mistaken, this
>    field seems to be assumed to contain a hostname which is then checked
and results in a warning if it doesn't match the
>    expected value (which of course, it never will). Is there
>    a better place to put an application-specific username in
>    certificates?

I have the same problem.  My solution is to not call
`gnutls_x509_crt_check_hostname' when verifying the client certificate. I
have a certificate from a "real" CA, i.e., one issued by a research
institution, and the CommonName field contains my name and nothing else. 
It is not intended that it should be bound to any particular machine,
server, domain, or similar entity.  I think it's reasonable for a person
to be able to use a single certificate from various computers.  However,
I'm still finding my way with respect to X.509 certificates, so perhaps
there's a better solution.  At any rate, this certificate, which I must
use on the client-side, would seem to be incompatible with the use
`gnutls_x509_crt_check_hostname' by the server.
> 2. I want to only allow connections from peers the server
>    has certificates for - a whitelist. What's the simplest
>    way to implement this? At the moment, I can only seem to
>    get GnuTLS to verify peers with the CA (which it needs to
>    do anyway, but I want to add this additional restriction).

I think the best place to do this would be following the call to `accept'
on the server side.  The following (C++) code fragment shows how to get
the IP address (and port) of the client that has just initiated a
  int listen_sd, sd;
  struct sockaddr_in sa_cli;
  int client_len;
  char topbuf[512];
  stringstream temp_strm;


  sd = accept (listen_sd, (SA *) & sa_cli, (socklen_t*) &client_len);

  temp_strm << thread_ctr_str << "In `listen_auth':  Connection from "
            << inet_ntop (AF_INET,
                          topbuf, sizeof (topbuf))
                << ", port " << ntohs (sa_cli.sin_port)
                << endl;

I think it should be easy to check it against a list of IP-addresses and
break off the connection if it's not in the list.

> As for the second question, I suppose I could create a server-specific
CA, issue certificates to all clients and then only check connecting
client certs against that CA (effectively creating a whitelist).

I think this would only be useful for testing purposes and wouldn't work
for "real" CA certificates issued by "trusted" organizations.

Laurence Finston

Laurence Finston
Gesellschaft fuer wissenschaftliche Datenverarbeitung mbH
Am Fassberg 11
37077 Goettingen

Telefon: 	+49 551 201-1882
E-Mail: 	lfinsto at

More information about the Gnutls-help mailing list