"known in advance" public key authentication?

Florian Weimer fw at deneb.enyo.de
Wed Nov 7 22:52:33 CET 2012

* Ivan Shmakov:

> 	Hence, the question is: is there a way to specify the local key
> 	pair and the remote public key to GnuTLS “directly”, just prior
> 	to connecting the remote?

I recommend to use self-signed X.509 certificates, this way you can
port your software to other crypto libraries.  It is possible to
override the certificate verification function and replace the
PKI-based verificiation with something that performs a database
lookup, for instance.  You can use the subject DN or a hash to look up
the certificate in the database, and perform a bit-wise comparison
between the peer certificate and what is found in the database.

Make sure your certificates are valid X.509v3.  GNUTLS is extremely
forgiving, and if you've got a widely deployed certificate which
cannot be used with Java (for instance), this can be annoying.

More information about the Gnutls-help mailing list