[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Couple of questions regarding CommonName and peer verification
|
From: |
org . gnu . help-gnutls |
|
Subject: |
Couple of questions regarding CommonName and peer verification |
|
Date: |
Mon, 23 Aug 2010 18:28:33 +0000 |
'Lo.
I'm working on a small server program (the actual details of which
aren't important).
I want to use certificates and TLS to provide strong authentication
but two questions still remain:
1. Users have accounts on the server. A user may have many
certificates registered to his account (and may log in using
any of them). I want the user's username to appear in each
certificate and the proper place for this appears to be in
the CommonName field. The problem: Unless I'm mistaken, this
field seems to be assumed to contain a hostname which is then
checked and results in a warning if it doesn't match the
expected value (which of course, it never will). Is there
a better place to put an application-specific username in
certificates?
2. I want to only allow connections from peers the server
has certificates for - a whitelist. What's the simplest
way to implement this? At the moment, I can only seem to
get GnuTLS to verify peers with the CA (which it needs to
do anyway, but I want to add this additional restriction).
As for the second question, I suppose I could create a server-specific
CA, issue certificates to all clients and then only check connecting
client certs against that CA (effectively creating a whitelist).
Perhaps there's a better way, though?
- Couple of questions regarding CommonName and peer verification,
org . gnu . help-gnutls <=