Fwd: [Help-gnutls] Re: Authentication during Handshake

Nikos Mavrogiannopoulos nmav at gnutls.org
Tue May 20 01:53:10 CEST 2008


On Mon, May 19, 2008 at 11:38 PM, Rainer Gerhards <rgerhards at gmail.com> wrote:
> Hi Simon,
>
> I am working on both the client and server sides.
>
> What gives me most problems is the fingerprint authentication. In
> essence, each peer has a list of valid (remote peer's) certificate
> fingerprints. If the actual cert's fingerprint is in this list, the
> remote peer is succesfully authenticated. this is an alternate auth
> mode that does not require pki.

Actually this is a hack. As far as I remember there was no standard
way to fingerprint a certificate. MD5 was widely used for this but it
is broken now.

The alternative modes of TLS/SSL that do not require PKI are TLS-SRP
(rfc5054) and TLS-PSK (preshared keys - rfc 4279). These are the
straightforward ways to use TLS without PKI (certificates). Then it is
obvious to everybody how to perform the TLS handshake - if the shared
keys do not match it fails.  Gnutls supports both of these modes.

Please suggest these to the authors of the protocol you're referencing.


regards,
Nikos





More information about the Gnutls-help mailing list