"known in advance" public key authentication?
Florian Weimer
fw at deneb.enyo.de
Wed Nov 7 22:52:33 CET 2012
* Ivan Shmakov:
> Hence, the question is: is there a way to specify the local key
> pair and the remote public key to GnuTLS “directly”, just prior
> to connecting the remote?
I recommend to use self-signed X.509 certificates, this way you can
port your software to other crypto libraries. It is possible to
override the certificate verification function and replace the
PKI-based verificiation with something that performs a database
lookup, for instance. You can use the subject DN or a hash to look up
the certificate in the database, and perform a bit-wise comparison
between the peer certificate and what is found in the database.
Make sure your certificates are valid X.509v3. GNUTLS is extremely
forgiving, and if you've got a widely deployed certificate which
cannot be used with Java (for instance), this can be annoying.
More information about the Gnutls-help
mailing list