Couple of questions regarding CommonName and peer verification

lfinsto at gwdg.de lfinsto at gwdg.de
Wed Aug 25 12:33:55 CEST 2010 

On Mon, August 23, 2010 8:28 pm, org.gnu.help-gnutls at coreland.ath.cx wrote:
> 'Lo.
> I'm working on a small server program (the actual details of which
aren't important).
> I want to use certificates and TLS to provide strong authentication but
two questions still remain:
> 1. Users have accounts on the server. A user may have many
>    certificates registered to his account (and may log in using
>    any of them). I want the user's username to appear in each
>    certificate and the proper place for this appears to be in
>    the CommonName field. The problem: Unless I'm mistaken, this
>    field seems to be assumed to contain a hostname which is then checked
and results in a warning if it doesn't match the
>    expected value (which of course, it never will). Is there
>    a better place to put an application-specific username in
>    certificates?

I have the same problem.  My solution is to not call
`gnutls_x509_crt_check_hostname' when verifying the client certificate. I
have a certificate from a "real" CA, i.e., one issued by a research
institution, and the CommonName field contains my name and nothing else. 
It is not intended that it should be bound to any particular machine,
server, domain, or similar entity.  I think it's reasonable for a person
to be able to use a single certificate from various computers.  However,
I'm still finding my way with respect to X.509 certificates, so perhaps
there's a better solution.  At any rate, this certificate, which I must
use on the client-side, would seem to be incompatible with the use
`gnutls_x509_crt_check_hostname' by the server.
> 2. I want to only allow connections from peers the server
>    has certificates for - a whitelist. What's the simplest
>    way to implement this? At the moment, I can only seem to
>    get GnuTLS to verify peers with the CA (which it needs to
>    do anyway, but I want to add this additional restriction).

I think the best place to do this would be following the call to `accept'
on the server side.  The following (C++) code fragment shows how to get
the IP address (and port) of the client that has just initiated a
connection:
  int listen_sd, sd;
  struct sockaddr_in sa_cli;
  int client_len;
  char topbuf[512];
  stringstream temp_strm;


  [...]

  sd = accept (listen_sd, (SA *) & sa_cli, (socklen_t*) &client_len);
temp_strm.str("");

  temp_strm << thread_ctr_str << "In `listen_auth':  Connection from "
            << inet_ntop (AF_INET,
                          &sa_cli.sin_addr,
                          topbuf, sizeof (topbuf))
                << ", port " << ntohs (sa_cli.sin_port)
                << endl;

I think it should be easy to check it against a list of IP-addresses and
break off the connection if it's not in the list.

> As for the second question, I suppose I could create a server-specific
CA, issue certificates to all clients and then only check connecting
client certs against that CA (effectively creating a whitelist).

I think this would only be useful for testing purposes and wouldn't work
for "real" CA certificates issued by "trusted" organizations.


Laurence Finston


-------------------------------------------------------------
Laurence Finston
Gesellschaft fuer wissenschaftliche Datenverarbeitung mbH
Am Fassberg 11
37077 Goettingen

Telefon: 	+49 551 201-1882
E-Mail: 	lfinsto at gwdg.de

More information about the Gnutls-help mailing list