On 11/18/2011 07:04 PM, Rebel Neurofog wrote: >> Welcome to the X.509 world. Certificates are being distinguished by the >> extensions they are tagged with. I.e. you can tag the certificate as a >> CA or not (using X.509v3 extensions). If you don't use the >> tls_www_server then the only way to distinguish server from client >> certificates are the text fields of the distinguished name. > But if I don't use tls_www_server and tls_www_client I actually get > some error message and things don't work.
This wasn't your issue (I think I pointed that out in a previous e-mail). > 1. So, "www" is misused and not related to Web actually, right? Not really. It is a hint to the peer on what to expect on the certificate, nothing more than that. Most certificates don't include it. > 2. Just using tls_www_server and tls_www_client is enough to be sure > of correct certificate usage - GnuTLS will ensure that (failing in > case of misusing certificate), right? No. GnuTLS will only honors the key usage flags (that is the flags that say whether the certificate is sign only or encrypt only -e.g. in RSA certificates). > In case of common CA and same 'gnutls_certificate_set_x509_trust_file ()' > the may be a following situation: > - server A and server B has certificates from the same CA > - server A gives certificate to client X What do you mean server gives certificate to X? A CA signs and "gives" certificates, not a server. (Typically only certificates with the CA flag are allowed to sign other certificates). > - client X uses certificate given by server A to connect to server B > - and it works You have to be more precise on what you mean by works. When you call gnutls_certificate_set_x509_trust_file() on the server side you instruct the server to request the client a certificate from one of the included CAs. If the server sees another certificate then it would consider it untrusted. regards, Nikos _______________________________________________ Help-gnutls mailing list [email protected] https://lists.gnu.org/mailman/listinfo/help-gnutls
