[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
x509 certificate verify
From: |
Nikos Mavroyanopoulos |
Subject: |
x509 certificate verify |
Date: |
Wed Aug 1 10:46:01 2001 |
Hello,
While implementing the verification function for x509 certificates, I came
to the following: How should the caller verify the peer's Common Name (which in
case of http servers is the dns name of the server).
One approach (and currently implemented) was to provide a function (currently
gnutls_set_X509_cn()),
which will set a string that will be compared against the peer's CN, within the
verification function.
If this does not match returns E_WRONG_CN.
The other approach is to do nothing (only verify the certificate path), and
let the caller
do the checks with CN etc.
I've implemented the first but in case of client authentication the server may
not only need
to check the peer's CN but also some fields like O, OU, or even some of the
issuer's fields.
Thus I'm thinking to move to the second approach, instead of providing a
complex function, that
will do the necessary comparisons. What do you think?
--
Nikos Mavroyanopoulos
[Prev in Thread] |
Current Thread |
[Next in Thread] |
- x509 certificate verify,
Nikos Mavroyanopoulos <=