help-gnutls
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Help needed with x.509 certificate


From: Nikos Mavrogiannopoulos
Subject: Re: Help needed with x.509 certificate
Date: Sat, 19 Nov 2011 19:51:00 +0100
User-agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.23) Gecko/20111010 Icedove/3.1.15

On 11/18/2011 07:04 PM, Rebel Neurofog wrote:
>> Welcome to the X.509 world. Certificates are being distinguished by the
>> extensions they are tagged with. I.e. you can tag the certificate as a
>> CA or not (using X.509v3 extensions). If you don't use the
>> tls_www_server then the only way to distinguish server from client
>> certificates are the text fields of the distinguished name.
> But if I don't use tls_www_server and tls_www_client I actually get
> some error message and things don't work.

This wasn't your issue (I think I pointed that out in a previous e-mail).

> 1. So, "www" is misused and not related to Web actually, right?

Not really. It is a hint to the peer on what to expect on the
certificate, nothing more than that. Most certificates don't  include it.

> 2. Just using tls_www_server and tls_www_client is enough to be sure
> of correct certificate usage - GnuTLS will ensure that (failing in
> case of misusing certificate), right?

No. GnuTLS will only honors the key usage flags (that is the flags that
say whether the certificate is sign only or encrypt only -e.g. in RSA
certificates).

> In case of common CA and same 'gnutls_certificate_set_x509_trust_file ()'
> the may be a following situation:
> - server A and server B has certificates from the same CA
> - server A gives certificate to client X

What do you mean server gives certificate to X? A CA signs and "gives"
certificates, not a server. (Typically only certificates with the CA
flag are allowed to sign other certificates).

> - client X uses certificate given by server A to connect to server B
> - and it works

You have to be more precise on what you mean by works.
When you call gnutls_certificate_set_x509_trust_file() on the server
side you instruct the server to request the client a certificate from
one of the included CAs. If the server sees another certificate then it
would consider it untrusted.

regards,
Nikos



reply via email to

[Prev in Thread] Current Thread [Next in Thread]