[Help-gnutls] Re: Authentication during Handshake

[Rainer Gerhards]

Hi Simon,

I am working on both the client and server sides.

What gives me most problems is the fingerprint authentication. In
essence, each peer has a list of valid (remote peer's) certificate
fingerprints. If the actual cert's fingerprint is in this list, the
remote peer is succesfully authenticated. this is an alternate auth
mode that does not require pki.

I do not find samples of such and i have gotten the impression that
something like this is not supported.

In essence, I am looking for something like a callback that is called
during handshake with the remote cert and that can reply with auth
success/failure - all while in the handshaking porcess.

Does that make any sense?

Rainer

On 5/19/08, Simon Josefsson <address@hidden> wrote:
> "Rainer Gerhards" <address@hidden> writes:
>
>> Hi,
>>
>> I am implementing an upcoming IETF standard ( syslog over TLS,
>> http://www.ietf.org/internet-drafts/draft-ietf-syslog-transport-tls-12.txt
>> ). As part of that standard, clients and server need to do mutual
>> authentication, which can either happen via subject names OR via
>> fingerprints of the certificates.
>>
>> I would like to do the mutual authentication as part of the handshake,
>> so that the handshake does not complete successfully if the server can
>> not successfully authenticate the client or the client not
>> successfully authenticate the server. Is this possible with GnuTLS? If
>> so, could you give me a clue on what I need to provide to get it
>> working.
>>
>> Any feedback is deeply appreciated.
>
> If I understand correctly, you want to implement TLS client
> authentication, i.e. when the client also uses a key+certificate.  Are
> you working on the client or server side, or both?  In any case, check
> the gnutls examples, there should be examples for this.
>
> /Simon
>