[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Help-gnutls] Checking hostname against certificate

From: Andrew McDonald
Subject: [Help-gnutls] Checking hostname against certificate
Date: Sun, 27 Jan 2002 21:22:37 +0000
User-agent: Mutt/1.5.0i

I'm currently making some improvements to my mutt/gnutls patches. One
of the things today was to get mutt to check the name of the host it
thinks it has connected to against the certificate presented by the

My procedure is:
1) try to get name from gnutls_x509pki_extract_subject_dns_name
2) if that doesn't work, get common_name from cert
3) compare against hostname used (taking into account wildcard
hostnames in the certificate, e.g. "*")

(Actually, might something along these lines be useful to put into
libgnutls itself?)

gnutls_x509pki_extract_subject_dns_name doesn't seem to be working.
As far as I understand it, this should extract a DNS name from a
Subject Alternative Name X.509v3 extension (as described in RFC2549,

For this I created a certificate with openssl, and I see the
appropriate extension:
        X509v3 extensions:
            Netscape Cert Type:
                SSL Server
            X509v3 Subject Alternative Name:

extract_subject_dns_name returns 56

Looking at the code for the gnutls function, I see:
        if ((result =
             _gnutls_get_extension(cert, "2 5 29 17", &dnsname)) < 0) {
                return result;
        } is the OID for an AltName extension. How does
_gnutls_get_extension know you want the dNSName?
(extract_subject_dns_name doesn't seem to do any further processing on
it). And why can't it find the extension anyway?
(Also, what would happen if there were multiple dNSNames in there?)

Any ideas or hints?

(I can supply the certificate or conf file used to generate the
certificate if it helps).

Many thanks,

Andrew McDonald
E-mail: address@hidden

reply via email to

[Prev in Thread] Current Thread [Next in Thread]