gnuTLS issues

Christian Grothoff christian at
Mon Aug 25 15:35:49 CEST 2008

I found the problem by reading the code -- not by running any particular test. 
What we want to do is HTTPS supporting mostly only canonical features, 
certainly nothing exotic.  I was trying to understand the code and figure out 
what code could / should be removed since we're concerned about code size for 

Is GnuTLS usually compiled with ENABLE_PKI set to 1?  When Amir imported the 
GnuTLS code, he made sure that this flag was always set -- what does it do?


On Monday 25 August 2008 06:02:48 am Simon Josefsson wrote:
> Christian Grothoff <christian at> writes:
> > Hi Simon,
> >
> > I've just stumbled over a problem in the GNUtls codebase (dereferencing
> > of uninitialized pointer) and I cannot even figure out how the code was
> > supposed to work.  I've filed a report in *our* bugtracking system at:
> >
> >
> >
> > I would appreciate any insight you may have to offer.
> Hi Christian!
> I agree the code looks broken.
> Do you have, or can generate, a test-PKCS#7 blob that can be used to
> test this code?  As far as I can see, GnuTLS's certtool cannot generate
> a degenerate PKCS#7 blob with multiple certificates in it.  I can't seem
> to see how to generate it using OpenSSL either.
> Nikos, do you have any insight to this code?  The logic seems broken.
> Finally, do you think anyone will ever need the functionality to load
> certificates from a PKCS#7 blob?  It isn't working right now, and nobody
> has complained (well, at least not until now), so maybe we could just
> remove the code.
> Christian, how did you find this problem?  Do you want to store
> certificate lists in PKCS#7 blobs?
> Thanks,
> /Simon

More information about the Gnutls-devel mailing list