Hi Simon, I am working on both the client and server sides.
What gives me most problems is the fingerprint authentication. In essence, each peer has a list of valid (remote peer's) certificate fingerprints. If the actual cert's fingerprint is in this list, the remote peer is succesfully authenticated. this is an alternate auth mode that does not require pki. I do not find samples of such and i have gotten the impression that something like this is not supported. In essence, I am looking for something like a callback that is called during handshake with the remote cert and that can reply with auth success/failure - all while in the handshaking porcess. Does that make any sense? Rainer On 5/19/08, Simon Josefsson <[EMAIL PROTECTED]> wrote: > "Rainer Gerhards" <[EMAIL PROTECTED]> writes: > >> Hi, >> >> I am implementing an upcoming IETF standard ( syslog over TLS, >> http://www.ietf.org/internet-drafts/draft-ietf-syslog-transport-tls-12.txt >> ). As part of that standard, clients and server need to do mutual >> authentication, which can either happen via subject names OR via >> fingerprints of the certificates. >> >> I would like to do the mutual authentication as part of the handshake, >> so that the handshake does not complete successfully if the server can >> not successfully authenticate the client or the client not >> successfully authenticate the server. Is this possible with GnuTLS? If >> so, could you give me a clue on what I need to provide to get it >> working. >> >> Any feedback is deeply appreciated. > > If I understand correctly, you want to implement TLS client > authentication, i.e. when the client also uses a key+certificate. Are > you working on the client or server side, or both? In any case, check > the gnutls examples, there should be examples for this. > > /Simon > _______________________________________________ Help-gnutls mailing list [email protected] http://lists.gnu.org/mailman/listinfo/help-gnutls
