In nettls-gnutls, the client peer name is checked against the client certificate?
When using CamlCrush (https://github.com/ANSSI-FR/caml-crush) with TLS and mutual authentication, the connection to the server fails.
CamlCrush uses Ocamlnet as the TCP/TLS backend.
/src/nettls-gnutls/nettls_gnutls.ml, the peer name is checked against the peer certificate:
let name_ok = match ep.peer_name with | None -> false | Some pn -> let der_peer_certs = G.gnutls_certificate_get_peers ep.session in assert(der_peer_certs <> [| |]); let peer_cert = G.gnutls_x509_crt_init() in G.gnutls_x509_crt_import peer_cert der_peer_certs.(0) `Der; let ok = G.gnutls_x509_crt_check_hostname peer_cert pn in ok in
In the CamlCrush ticket,
rb-anssi assumes that the check is also performed by the server. In that case, the client peer name is empty, and the check fails.
I'm not fluent enough in Ocaml to analyze if that's true, could you have a look ?