[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Server Credentials: x509 cert and key
From: |
Simon Josefsson |
Subject: |
Re: Server Credentials: x509 cert and key |
Date: |
Fri, 22 Aug 2008 14:53:26 +0200 |
User-agent: |
Gnus/5.110011 (No Gnus v0.11) Emacs/22.2 (gnu/linux) |
Alvaro Lopez Ortega <address@hidden> writes:
> Hello there,
>
> I have a quick question for you guys, I hope someone can give me a
> hand with this. The thing is that I do not know how to access the X509
> cert and key from within a gnutls_certificate_server_credentials
> object.
>
> Allow me to summarize the problem. All this is happening in a server;
> I create one of the certificate_server_credentials structures for each
> virtual server and then, I read the key and cert for each of them by
> calling the gnutls_certificate_set_x509_key_file() function.
>
> Right after that, gnutls_certificate_server_set_retrieve_function()
> sets the SNI callback from which I can access the virtual server
> credentials that I'd like the TLS connection to use. However, there is
> where it gets kind of confusing to me.
>
> How am I supposed to set the cert.x509 and key.x509 values in the
> gnutls_retr_st structure? Is there a way to get those values by using
> the certificate server credential object?
Are the virtual servers listening on the same port?
If so, you shouldn't use gnutls_certificate_set_x509_key_file: that
function is intended where you know which certificate+key should be used
before the connection is started. But with SNI, you can't know this.
Thus, in the callback from
gnutls_certificate_server_set_retrieve_function, you need to figure out
which virtual server is requested by the client by calling
gnutls_server_name_get, and then load the proper certificate+key by
using gnutls_x509_crt_list_import and gnutls_x509_privkey_import. The
gnutls_retr_st should contain pointer to the imported certificate/key.
I hope this helps.
If you can suggest documentation improvements that would have helped you
understand this, please do!
/Simon