"Rainer Gerhards" <[EMAIL PROTECTED]> writes: > Hi Simon,
Hi Rainer! > I am working on both the client and server sides. Ok. > What gives me most problems is the fingerprint authentication. In > essence, each peer has a list of valid (remote peer's) certificate > fingerprints. If the actual cert's fingerprint is in this list, the > remote peer is succesfully authenticated. this is an alternate auth > mode that does not require pki. > > I do not find samples of such and i have gotten the impression that > something like this is not supported. Ah, I thought you wanted to implement the normal client PKI mutual auth approach. This is the normal way you do authentication using TLS libraries, and it should be relatively straightforward. > In essence, I am looking for something like a callback that is called > during handshake with the remote cert and that can reply with auth > success/failure - all while in the handshaking porcess. > > Does that make any sense? Yes, although I'm not sure it is a good idea to do it as part of the handshake: until the handshake is over, you don't know whether there is a man in the middle attacker present. I suggest completing the handshake as normal, and then compare fingerprints. If fingerprint comparisons fails, shut down the TLS session. Ideally, I think the IETF draft should discuss some of these details. It is easy to implement ssh-style leap-of-faith authentication incorrectly. /Simon > > Rainer > > On 5/19/08, Simon Josefsson <[EMAIL PROTECTED]> wrote: >> "Rainer Gerhards" <[EMAIL PROTECTED]> writes: >> >>> Hi, >>> >>> I am implementing an upcoming IETF standard ( syslog over TLS, >>> http://www.ietf.org/internet-drafts/draft-ietf-syslog-transport-tls-12.txt >>> ). As part of that standard, clients and server need to do mutual >>> authentication, which can either happen via subject names OR via >>> fingerprints of the certificates. >>> >>> I would like to do the mutual authentication as part of the handshake, >>> so that the handshake does not complete successfully if the server can >>> not successfully authenticate the client or the client not >>> successfully authenticate the server. Is this possible with GnuTLS? If >>> so, could you give me a clue on what I need to provide to get it >>> working. >>> >>> Any feedback is deeply appreciated. >> >> If I understand correctly, you want to implement TLS client >> authentication, i.e. when the client also uses a key+certificate. Are >> you working on the client or server side, or both? In any case, check >> the gnutls examples, there should be examples for this. >> >> /Simon >> _______________________________________________ Help-gnutls mailing list [email protected] http://lists.gnu.org/mailman/listinfo/help-gnutls
