On 11/07/2012 10:06 AM, Graham Murray wrote: > On Wed, 2012-11-07 at 14:33 +0000, Ivan Shmakov wrote: >> For my application, I need to establish a secure communication >> between two peers, and as it seems, TLS is a perfect fit for >> that. >> >> A feature of this application is that the public keys of the >> peers are effectively “known in advance”, so, while self-signed >> (unsigned?) X.509 certificates (or some OpenPGP ones) could be >> employed, there's no practical benefit from CC/WoT verification. >> >> Hence, the question is: is there a way to specify the local key >> pair and the remote public key to GnuTLS “directly”, just prior >> to connecting the remote? > > Would PSK not do what you want?
PSK is not public key authentication, since the keys are shared. I think the OP may want to avoid calling gnutls_certificate_verify_peers2, and write their own function to be passed to gnutls_certificate_set_verify_function that just compares the certificate received against a local file. https://www.gnu.org/software/gnutls/manual/html_node/Certificate-credentials.html Alternately (for a bit more flexibility in re-keying, should that come up, at the cost of extra administrative overhead), the OP could run their own X.509 or OpenPGP signing authority; then ship that signing authority with both peers, and use it to sign the certificates of either peer. --dkg
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Help-gnutls mailing list Help-gnutls@gnu.org https://lists.gnu.org/mailman/listinfo/help-gnutls
