Help needed with x.509 certificate

[Nikos Mavrogiannopoulos]

On 11/18/2011 07:04 PM, Rebel Neurofog wrote:
>> Welcome to the X.509 world. Certificates are being distinguished by the
>> extensions they are tagged with. I.e. you can tag the certificate as a
>> CA or not (using X.509v3 extensions). If you don't use the
>> tls_www_server then the only way to distinguish server from client
>> certificates are the text fields of the distinguished name.
> But if I don't use tls_www_server and tls_www_client I actually get
> some error message and things don't work.

This wasn't your issue (I think I pointed that out in a previous e-mail).

> 1. So, "www" is misused and not related to Web actually, right?

Not really. It is a hint to the peer on what to expect on the
certificate, nothing more than that. Most certificates don't  include it.

> 2. Just using tls_www_server and tls_www_client is enough to be sure
> of correct certificate usage - GnuTLS will ensure that (failing in
> case of misusing certificate), right?

No. GnuTLS will only honors the key usage flags (that is the flags that
say whether the certificate is sign only or encrypt only -e.g. in RSA
certificates).

> In case of common CA and same 'gnutls_certificate_set_x509_trust_file ()'
> the may be a following situation:
> - server A and server B has certificates from the same CA
> - server A gives certificate to client X

What do you mean server gives certificate to X? A CA signs and "gives"
certificates, not a server. (Typically only certificates with the CA
flag are allowed to sign other certificates).

> - client X uses certificate given by server A to connect to server B
> - and it works

You have to be more precise on what you mean by works.
When you call gnutls_certificate_set_x509_trust_file() on the server
side you instruct the server to request the client a certificate from
one of the included CAs. If the server sees another certificate then it
would consider it untrusted.

regards,
Nikos