[Help-gnutls] Re: Authentication during Handshake
Rainer Gerhards
rgerhards at gmail.com
Fri May 30 08:20:31 CEST 2008
Just double-checking:
As far as I have seen openSSL's SSL_CTX_set_cert_verify_callback() is
not implemented inside the compatibility layer? I am asking because of
http://www.ietf.org/mail-archive/web/syslog/current/msg01963.html
Thanks,
Rainer
On Wed, May 21, 2008 at 1:53 PM, Nikos Mavrogiannopoulos
<nmav at gnutls.org> wrote:
> Rainer Gerhards wrote:
>> Hi Nikos,
>>
>> On Wed, May 21, 2008 at 1:08 PM, Nikos Mavrogiannopoulos
>> <n.mavrogiannopoulos at gmail.com> wrote:
>>> Simon Josefsson wrote:
>>>
>>>>> I still would see a lot of benefit in being able to check the remote
>>>>> peers identity BEFORE the Finished message is sent. That way, I could
>>>>> block access to not permitted peers at the risk of the DoS outlined
>>>>> above. Am I still overlooking something?
>>>> No, I think that is correct. Nikos, any thoughts? You added some
>>>> callbacks during the handshake earlier, are any of those useful here?
>>> No unfortunately not. The callbacks I added are called after client
>>> hello is received. The callbacks you discuss need to be called after the
>>> certificate message is received.
>>
>> Could you point me to the file where processing the certificate
>> message is done? I would be interested to see if I could add a
>> callback, and may it even just be to know how it is done ;)
>
> The file is gnutls_handshake.c. The functions you're interested in are
> _gnutls_handshake_client, _gnutls_handshake_server (if you're doing it
> for both of them).
>
> A similar callback is _gnutls_user_hello_func which is the post_hello
> callback.
>
> I'd glad to review and commit and patches for this issue.
>
> regards,
> Nikos
>
More information about the Gnutls-help
mailing list