[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Couple of questions regarding CommonName and peer verification
|
From: |
lfinsto |
|
Subject: |
Re: Couple of questions regarding CommonName and peer verification |
|
Date: |
Wed, 25 Aug 2010 12:33:55 +0200 |
|
User-agent: |
SquirrelMail/1.4.20 |
On Mon, August 23, 2010 8:28 pm, address@hidden wrote:
> 'Lo.
> I'm working on a small server program (the actual details of which
aren't important).
> I want to use certificates and TLS to provide strong authentication but
two questions still remain:
> 1. Users have accounts on the server. A user may have many
> certificates registered to his account (and may log in using
> any of them). I want the user's username to appear in each
> certificate and the proper place for this appears to be in
> the CommonName field. The problem: Unless I'm mistaken, this
> field seems to be assumed to contain a hostname which is then checked
and results in a warning if it doesn't match the
> expected value (which of course, it never will). Is there
> a better place to put an application-specific username in
> certificates?
I have the same problem. My solution is to not call
`gnutls_x509_crt_check_hostname' when verifying the client certificate. I
have a certificate from a "real" CA, i.e., one issued by a research
institution, and the CommonName field contains my name and nothing else.
It is not intended that it should be bound to any particular machine,
server, domain, or similar entity. I think it's reasonable for a person
to be able to use a single certificate from various computers. However,
I'm still finding my way with respect to X.509 certificates, so perhaps
there's a better solution. At any rate, this certificate, which I must
use on the client-side, would seem to be incompatible with the use
`gnutls_x509_crt_check_hostname' by the server.
> 2. I want to only allow connections from peers the server
> has certificates for - a whitelist. What's the simplest
> way to implement this? At the moment, I can only seem to
> get GnuTLS to verify peers with the CA (which it needs to
> do anyway, but I want to add this additional restriction).
I think the best place to do this would be following the call to `accept'
on the server side. The following (C++) code fragment shows how to get
the IP address (and port) of the client that has just initiated a
connection:
int listen_sd, sd;
struct sockaddr_in sa_cli;
int client_len;
char topbuf[512];
stringstream temp_strm;
[...]
sd = accept (listen_sd, (SA *) & sa_cli, (socklen_t*) &client_len);
temp_strm.str("");
temp_strm << thread_ctr_str << "In `listen_auth': Connection from "
<< inet_ntop (AF_INET,
&sa_cli.sin_addr,
topbuf, sizeof (topbuf))
<< ", port " << ntohs (sa_cli.sin_port)
<< endl;
I think it should be easy to check it against a list of IP-addresses and
break off the connection if it's not in the list.
> As for the second question, I suppose I could create a server-specific
CA, issue certificates to all clients and then only check connecting
client certs against that CA (effectively creating a whitelist).
I think this would only be useful for testing purposes and wouldn't work
for "real" CA certificates issued by "trusted" organizations.
Laurence Finston
-------------------------------------------------------------
Laurence Finston
Gesellschaft fuer wissenschaftliche Datenverarbeitung mbH
Am Fassberg 11
37077 Goettingen
Telefon: +49 551 201-1882
E-Mail: address@hidden