On 08/23/2010 08:28 PM, [email protected] wrote: > 'Lo. > > I'm working on a small server program (the actual details of which > aren't important). > > I want to use certificates and TLS to provide strong authentication > but two questions still remain: > > 1. Users have accounts on the server. A user may have many > certificates registered to his account (and may log in using > any of them). I want the user's username to appear in each > certificate and the proper place for this appears to be in > the CommonName field. The problem: Unless I'm mistaken, this > field seems to be assumed to contain a hostname which is then > checked and results in a warning if it doesn't match the > expected value (which of course, it never will). Is there > a better place to put an application-specific username in > certificates?
Only if you use it as a web server certificate. Otherwise you are free to put whatever you like there. I remember there was a UID field as well. > 2. I want to only allow connections from peers the server > has certificates for - a whitelist. What's the simplest > way to implement this? At the moment, I can only seem to > get GnuTLS to verify peers with the CA (which it needs to > do anyway, but I want to add this additional restriction). Why not use certificates and certificate revocation lists? Otherwise there is no point into using certificates at all. You could use TLS-SRP or TLS-PSK with symmetric keys and avoid the burden of certificates. If you insist on this restriction just compare the certificate sent in the connection with the certificates in your whitelist. > As for the second question, I suppose I could create a server-specific > CA, issue certificates to all clients and then only check connecting > client certs against that CA (effectively creating a whitelist). This is the obvious thing of doing when using certificates for authentication. You can revoke certificates and put them into a server accessible revocation list as well. regards, Nikos _______________________________________________ Help-gnutls mailing list [email protected] http://lists.gnu.org/mailman/listinfo/help-gnutls
