recommendations for storage of accepted certificates

Ted Zlatanov tzz at lifelogs.com
Mon Oct 4 03:37:36 CEST 2010


On Sun, 03 Oct 2010 08:34:48 +0200 Nikos Mavrogiannopoulos <nmav at gnutls.org> wrote: 

NM> On 10/02/2010 05:45 PM, Ted Zlatanov wrote:
NM> The best alternative would be to store for every server the
NM> corresponding certificate and during next connection verify that it
NM> remained the same.
>> OK.  The question is then where to store it.  Emacs can handle all the
>> file interactions but I wondered if there's a convention
>> (e.g. $HOME/.certs or some such) where I can drop those certificates.
>> I'll call it $CERTDROP below.

NM> I don't think there is a standard location for that. I'd put it in a DB
NM> file (gdbm or so).

OK.  For Emacs it's better to use a directory than a DBM file because of
the many platforms supported and lack of native *DBM support.  So maybe
$HOME/.emacs.d/certificates/SERVER.pem where SERVER is a normalized
version of the server name.  Hmm, or maybe just use the IP address.  It
gets complicated (like the OpenSSH known hosts :)

>> 1) set up a conventional place where Emacs will drop accepted
>> certificates, $CERTDROP/*.pem

NM> If you're talking about server certificates I'd use:
NM> servername.pem, instead of loading it with the trusted certificate root.
...
NM> And here I mean, that I'd use this certificate as trusted only when
NM> connecting to the specific server.

OK.  I'll set up something but it's not simple so I'll look at how other
applications store keys and certificates.  I may use the OpenSSH known
hosts model and just dump/load a hashtable keyed by server name.

>> 3) set up a facility within the Emacs GnuTLS support to accept and store
>> unknown server certificates.  What function in the GnuTLS API can I use
>> to provide this?  I can't find the right way in the docs or in the
>> examples, sorry.

NM> What do you mean by unknown server? Do you mean known but untrusted? In
NM> any case gnutls doesn't provide such facility for any of them. It was
NM> considered to be application specific (now I'm looking for a solution to
NM> that using pkcs11, but wouldn't be available soon).

Sorry for the badly phrased questions.  Yes: I mean I connect to a known
server but its certificate is not trusted (I let GnuTLS verify the
certificate chain).  Would I just look at the error and ask the user to
accept the certificate and retry?  I was hoping to do it during the
handshake with a callback function.

Thanks
Ted





More information about the Gnutls-devel mailing list