gnuTLS issues

Simon Josefsson simon at
Tue Aug 26 21:19:58 CEST 2008

Christian Grothoff <christian at> writes:

> I found the problem by reading the code -- not by running any particular test. 
> What we want to do is HTTPS supporting mostly only canonical features, 
> certainly nothing exotic.  I was trying to understand the code and figure out 
> what code could / should be removed since we're concerned about code size for 
> libmicrohttpd. 

You can definitely remove the code in your port.  Nobody seem to have
used it in GnuTLS either since it hasn't been working since at least
around v1.0...

> Is GnuTLS usually compiled with ENABLE_PKI set to 1?  When Amir imported the 
> GnuTLS code, he made sure that this flag was always set -- what does it do?

Yes, ENABLE_PKI is normally always 1 in GnuTLS, but there is
--disable-extra-pki to set it to 0.  I'm not sure the code even builds
with ENABLE_PKI set to 0 any more, I don't check for that.  Originally
the symbol was likely intended to strip GnuTLS of the larger X.509 parts
which are normally not needed.  But it is an old symbol, so Nikos will
know what it was intended for.


> Christian
> On Monday 25 August 2008 06:02:48 am Simon Josefsson wrote:
>> Christian Grothoff <christian at> writes:
>> > Hi Simon,
>> >
>> > I've just stumbled over a problem in the GNUtls codebase (dereferencing
>> > of uninitialized pointer) and I cannot even figure out how the code was
>> > supposed to work.  I've filed a report in *our* bugtracking system at:
>> >
>> >
>> >
>> > I would appreciate any insight you may have to offer.
>> Hi Christian!
>> I agree the code looks broken.
>> Do you have, or can generate, a test-PKCS#7 blob that can be used to
>> test this code?  As far as I can see, GnuTLS's certtool cannot generate
>> a degenerate PKCS#7 blob with multiple certificates in it.  I can't seem
>> to see how to generate it using OpenSSL either.
>> Nikos, do you have any insight to this code?  The logic seems broken.
>> Finally, do you think anyone will ever need the functionality to load
>> certificates from a PKCS#7 blob?  It isn't working right now, and nobody
>> has complained (well, at least not until now), so maybe we could just
>> remove the code.
>> Christian, how did you find this problem?  Do you want to store
>> certificate lists in PKCS#7 blobs?
>> Thanks,
>> /Simon

More information about the Gnutls-devel mailing list