[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Help-gnutls] Re: IDN and TLS certificates
From: |
Simon Josefsson |
Subject: |
[Help-gnutls] Re: IDN and TLS certificates |
Date: |
Fri, 17 Mar 2006 12:25:38 +0100 |
User-agent: |
Gnus/5.110004 (No Gnus v0.4) Emacs/22.0.50 (gnu/linux) |
Martin Lambers <address@hidden> writes:
> Hi!
>
> I'm not sure how to handle Internationalized Domain Names when verifying
> TLS certificates.
>
> As I understand, a TLS certificate for räksmörgås.josefßon.example
> should contain the value "xn--rksmrgs-5wao1o.josefsson.example" in a
> subjectAltName field of type DNS, therefore an application should first
> translate "räksmörgås.josefßon.example" to
> "xn--rksmrgs-5wao1o.josefsson.example" before calling
> gnutls_x509_crt_check_hostname(). Is this correct?
Yes. subjectAltName is a IDN-unaware domain name slot, so it should
contain encoded IDNs, and the hostname parameter to
gnutls_x509_crt_check_hostname is also a IDN-unaware domain name slot.
I'm not sure there is much point in making GnuTLS handle IDN before
PKIX/TLS is IDN-aware.
The ServerName extension in TLS 1.1 is IDN-aware though, and maybe
there is some place for better IDN-handling in GnuTLS there, but I
can't think of any specific improvement.
Regards,
Simon