certificate validation callbacks [was: Re: validating SAN URIs in gntls]

peter williams home_pw at msn.com
Tue Mar 8 19:12:38 CET 2011

Perhaps, yes.

Does the GNUTLS *test* server use it to set a callback, that then verifies cert chains (such as self-signed client authn cert is indeed self-signed)?

Ive been pointing folks at the GNUTLS test server, showing how it prints out the value of the client cert, showing its SAN_URI content in particular. The question I had in my mind, originally, was: was the signature on the cert even verified (by the lib, OR by the test server callback code)?

I can presume (I hope) that mere delivery of the client cert to the server by the library means that the SSL (RSA) ciphersuite was properly enforced  by the library, ensuring that the RSA signature due to the clientauthn procedure of SSL matched the pubkey in the cert.

SSL doesn’t require that last condition; which motivates my question. A library might use a cache of "trusted pubkeys" to validate the RSA signature due to client authn, totally ignoring the client certs also received on the wire. Nothing requires that client authn enforcement and signature checking (for RSA) use the pubkeys from certs in the inbound certificate message (though this is  commonly done)

At some point, I suppose I'll just have to read all the code, to see what it all does.

-----Original Message-----
From: n.mavrogiannopoulos at gmail.com [mailto:n.mavrogiannopoulos at gmail.com] On Behalf Of Nikos Mavrogiannopoulos
Sent: Tuesday, March 08, 2011 12:28 AM
To: gnutls-devel at gnu.org
Cc: Daniel Kahn Gillmor; peter williams
Subject: Re: certificate validation callbacks [was: Re: validating SAN URIs in gntls]

On Mon, Mar 7, 2011 at 8:19 PM, Daniel Kahn Gillmor <dkg at fifthhorseman.net> wrote:
> On 03/07/2011 01:30 PM, peter williams wrote:
>> One might want to think about enabling GNUTLS server's to easily add 
>> a validation callback *mechanism* for the case that SAN URI(s) 
>> (possibly
>> plural) are received in client certs.
> certificate validation callbacks would be a very nice thing to have, 
> particularly if they include information about which particular 
> session is triggering the verification.

I don't really understand about what kind of callbacks is the discussion about.
Isn't the callback set by gnutls_certificate_set_verify_function() sufficient?


More information about the Gnutls-devel mailing list