Couple of questions regarding CommonName and peer verification

Nikos Mavrogiannopoulos nmav at
Wed Aug 25 16:58:25 CEST 2010

On 08/23/2010 08:28 PM, at wrote:
> 'Lo.
> I'm working on a small server program (the actual details of which
> aren't important).
> I want to use certificates and TLS to provide strong authentication
> but two questions still remain:
> 1. Users have accounts on the server. A user may have many
>    certificates registered to his account (and may log in using
>    any of them). I want the user's username to appear in each
>    certificate and the proper place for this appears to be in
>    the CommonName field. The problem: Unless I'm mistaken, this
>    field seems to be assumed to contain a hostname which is then
>    checked and results in a warning if it doesn't match the
>    expected value (which of course, it never will). Is there
>    a better place to put an application-specific username in
>    certificates?

Only if you use it as a web server certificate. Otherwise you are free
to put whatever you like there. I remember there was a UID field as well.

> 2. I want to only allow connections from peers the server
>    has certificates for - a whitelist. What's the simplest
>    way to implement this? At the moment, I can only seem to
>    get GnuTLS to verify peers with the CA (which it needs to
>    do anyway, but I want to add this additional restriction).

Why not use certificates and certificate revocation lists? Otherwise
there is no point into using certificates at all. You could use TLS-SRP
or TLS-PSK with symmetric keys and avoid the burden of certificates.

If you insist on this restriction just compare the certificate sent in
the connection with the certificates in your whitelist.

> As for the second question, I suppose I could create a server-specific
> CA, issue certificates to all clients and then only check connecting
> client certs against that CA (effectively creating a whitelist).

This is the obvious thing of doing when using certificates for
authentication. You can revoke certificates and put them into a server
accessible revocation list as well.


More information about the Gnutls-help mailing list