Martin Lambers <[EMAIL PROTECTED]> writes: > Hi! > > I'm not sure how to handle Internationalized Domain Names when verifying > TLS certificates. > > As I understand, a TLS certificate for räksmörgås.josefßon.example > should contain the value "xn--rksmrgs-5wao1o.josefsson.example" in a > subjectAltName field of type DNS, therefore an application should first > translate "räksmörgås.josefßon.example" to > "xn--rksmrgs-5wao1o.josefsson.example" before calling > gnutls_x509_crt_check_hostname(). Is this correct?
Yes. subjectAltName is a IDN-unaware domain name slot, so it should contain encoded IDNs, and the hostname parameter to gnutls_x509_crt_check_hostname is also a IDN-unaware domain name slot. I'm not sure there is much point in making GnuTLS handle IDN before PKIX/TLS is IDN-aware. The ServerName extension in TLS 1.1 is IDN-aware though, and maybe there is some place for better IDN-handling in GnuTLS there, but I can't think of any specific improvement. Regards, Simon _______________________________________________ Help-gnutls mailing list [email protected] http://lists.gnu.org/mailman/listinfo/help-gnutls
