certificate validation callbacks [was: Re: validating SAN URIs in gntls]

Daniel Kahn Gillmor dkg at fifthhorseman.net
Tue Mar 8 15:05:06 CET 2011

On 03/08/2011 03:27 AM, Nikos Mavrogiannopoulos wrote:
> I don't really understand about what kind of callbacks is the discussion about.
> Isn't the callback set by gnutls_certificate_set_verify_function() sufficient?

Whoops!  I didn't realize this had been added to 2.10.0.  Yes, it looks
like that will do exactly what i was thinking.  Thanks for anticipating
this, Nikos!  I'm assuming this callback triggers on both the server and
client sides?

Out of curiosity, when gnutls_certificate_set_verify_function() gets
called, do we have evidence that the peer is actually in control of the
secret key corresponding to the public key in the certificate?  Or do we
only get that evidence after the handshake has completed?  (maybe the
answer is different for the case where we are the client vs. the case
where we are the server?)

The docs [0] say:

>> This function sets a callback to be called when peer's certificate has
>> been received in order to verify it on receipt rather than doing after
>> the handshake is completed. 

Is the idea that users of older versions of gnutls would have used
something like gnutls_handshake_set_post_client_hello_function() if they
are the server?  or just that they would have to manually invoke
gnutls_handshake(), then check the certificate, and alert/fail the
connection at that point?



-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 1030 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20110308/89974a7d/attachment.pgp>

More information about the Gnutls-devel mailing list