[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: certificate validation callbacks [was: Re: validating SAN URIs in gn
From: |
peter williams |
Subject: |
RE: certificate validation callbacks [was: Re: validating SAN URIs in gntls] |
Date: |
Tue, 8 Mar 2011 10:12:38 -0800 |
Perhaps, yes.
Does the GNUTLS *test* server use it to set a callback, that then verifies cert
chains (such as self-signed client authn cert is indeed self-signed)?
Ive been pointing folks at the GNUTLS test server, showing how it prints out
the value of the client cert, showing its SAN_URI content in particular. The
question I had in my mind, originally, was: was the signature on the cert even
verified (by the lib, OR by the test server callback code)?
I can presume (I hope) that mere delivery of the client cert to the server by
the library means that the SSL (RSA) ciphersuite was properly enforced by the
library, ensuring that the RSA signature due to the clientauthn procedure of
SSL matched the pubkey in the cert.
SSL doesn’t require that last condition; which motivates my question. A library
might use a cache of "trusted pubkeys" to validate the RSA signature due to
client authn, totally ignoring the client certs also received on the wire.
Nothing requires that client authn enforcement and signature checking (for RSA)
use the pubkeys from certs in the inbound certificate message (though this is
commonly done)
At some point, I suppose I'll just have to read all the code, to see what it
all does.
-----Original Message-----
From: address@hidden [mailto:address@hidden On Behalf Of Nikos Mavrogiannopoulos
Sent: Tuesday, March 08, 2011 12:28 AM
To: address@hidden
Cc: Daniel Kahn Gillmor; peter williams
Subject: Re: certificate validation callbacks [was: Re: validating SAN URIs in
gntls]
On Mon, Mar 7, 2011 at 8:19 PM, Daniel Kahn Gillmor <address@hidden> wrote:
> On 03/07/2011 01:30 PM, peter williams wrote:
>> One might want to think about enabling GNUTLS server's to easily add
>> a validation callback *mechanism* for the case that SAN URI(s)
>> (possibly
>> plural) are received in client certs.
> certificate validation callbacks would be a very nice thing to have,
> particularly if they include information about which particular
> session is triggering the verification.
I don't really understand about what kind of callbacks is the discussion about.
Isn't the callback set by gnutls_certificate_set_verify_function() sufficient?
regards,
Nikos
Re: certificate validation callbacks [was: Re: validating SAN URIs in gntls], Nikos Mavrogiannopoulos, 2011/03/08
RE: certificate validation callbacks [was: Re: validating SAN URIs in gntls],
peter williams <=