[Help-gnutls] Re: IDN and TLS certificates

help-gnutls

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Help-gnutls] Re: IDN and TLS certificates

From:	Simon Josefsson
Subject:	[Help-gnutls] Re: IDN and TLS certificates
Date:	Fri, 17 Mar 2006 12:25:38 +0100
User-agent:	Gnus/5.110004 (No Gnus v0.4) Emacs/22.0.50 (gnu/linux)

Martin Lambers <address@hidden> writes:

> Hi!
>
> I'm not sure how to handle Internationalized Domain Names when verifying
> TLS certificates.
>
> As I understand, a TLS certificate for räksmörgås.josefßon.example
> should contain the value "xn--rksmrgs-5wao1o.josefsson.example" in a
> subjectAltName field of type DNS, therefore an application should first
> translate "räksmörgås.josefßon.example" to
> "xn--rksmrgs-5wao1o.josefsson.example" before calling
> gnutls_x509_crt_check_hostname(). Is this correct?

Yes.  subjectAltName is a IDN-unaware domain name slot, so it should
contain encoded IDNs, and the hostname parameter to
gnutls_x509_crt_check_hostname is also a IDN-unaware domain name slot.

I'm not sure there is much point in making GnuTLS handle IDN before
PKIX/TLS is IDN-aware.

The ServerName extension in TLS 1.1 is IDN-aware though, and maybe
there is some place for better IDN-handling in GnuTLS there, but I
can't think of any specific improvement.

Regards,
Simon

[Prev in Thread]

Current Thread

[Next in Thread]

[Help-gnutls] IDN and TLS certificates, Martin Lambers, 2006/03/17
- [Help-gnutls] Re: IDN and TLS certificates, Simon Josefsson <=

Prev by Date: [Help-gnutls] hang in gnutls_bye in gaim
Next by Date: [Help-gnutls] 64bit + gnutls_transport_set_ptr
Previous by thread: [Help-gnutls] IDN and TLS certificates
Next by thread: [Help-gnutls] 64bit + gnutls_transport_set_ptr
Index(es):
- Date
- Thread