Server certificate hash checking

Nikos Mavrogiannopoulos nmav at gnutls.org
Sat Jan 3 15:04:06 PST 2015


On Fri, 2015-01-02 at 21:37 +0000, David Woodhouse wrote:
> On Fri, 2015-01-02 at 23:16 +0200, Nikos Mavrogiannopoulos wrote:
> > On Fri, 2015-01-02 at 09:40 +0000, David Woodhouse wrote:
> > 
> > > > The latter is probably difficult, but printing the hash and key IDs is
> > > > probably a good idea. I'll check it.
> > > Well, if the luci https service is using the *same* cert as ocserv then
> > > presumably it's already been accepted.
> > 
> > No it is not. I don't think it is a good idea to mix keys for different
> > services.
> Hm, is there a way for an X.509 certificate to specify which
> ports/services it's valid for? We only actually validate the *hostname*,
> because I thought that's all there was.

There is the key purpose X.509 extension. It is typically set to "TLS
WWW server". I'd expect different services to use a different key
purpose, although that's not so common.

regards,
Nikos





More information about the openconnect-devel mailing list