2.3.x regression in auth_cert.c:call_get_cert_callback
Joe Orton
joe at manyfish.co.uk
Mon Mar 31 12:47:29 CEST 2008
On Mon, Mar 31, 2008 at 12:28:29PM +0200, Simon Josefsson wrote:
> Joe Orton <joe at manyfish.co.uk> writes:
> > Thanks. With this applied and the new DN functions in 2.3.x, the last
> > of the neon regressions relative to OpenSSL are now fixed and for the
> > first time I get a 100% pass rate with neon's SSL test suite. And due
> > to the external signing callback in GnuTLS, neon supports one major
> > feature which is not supported with OpenSSL - PKCS#11.
> >
> > So, nice work, guys :)
>
> Cool! Can I build and run the neon self test suite relatively easy
> myself? It seems it checks a lot TLS stuff, and it might be useful to
> run before releasing v2.4.0 to catch silly mistakes.
svn co http://svn.webdav.org/repos/projects/neon/trunk/
cd trunk
./autogen.sh
./configure --with-ssl=gnutls --with-libs=/path/to/gnutls/install/root
make check TESTS=ssl
should be sufficient; let me know if not.
You need to have pakchois (http://www.manyfish.co.uk/pakchois/) and NSS
installed in standard places to be able to test the PKCS#11 interfaces;
the test suite uses the NSS software token.
> > 11. load_client_cert...... WARNING: no friendly name given
> > ...................... pass (with 1 warning)
> ...
> > 53. pkcs11_dsa............ server child failed: SSL accept failed: SSL error: The scanning of a large integer has failed.
>
> Does this refer to anything we should improve in gnutls?
For 11, possibly yes - OpenSSL allows you to retrieve the friendly name
of an encrypted PKCS#12 cert without decrypting it; I couldn't work out
how do to that with GnuTLS.
For 53, I don't know, I haven't looked into this yet, I suspect it's a
bug in neon or the neon test suite (hence the test is marked as expected
to fail).
joe
More information about the Gnutls-devel
mailing list