[gnutls-devel] cert-type check ignores retrieve_function2

Nikos Mavrogiannopoulos nmav at gnutls.org
Sat Jan 10 12:16:42 CET 2015

On Fri, 2015-01-09 at 19:24 +0100, Rick van Rein wrote:
> Hello,
> When setting up TLS with cert-type OpenPGP from a client, the server verifies if it supports the extension’s contents in _gnutls_session_cert_type_supported().  This function checks for cred->get_cert_callback but not cred->get_cert_callback2.  As a result, servers setup for OpenPGP certificate credential callback with gnutls_certificate_set_retrieve_function2() are unable to use the OpenPGP certificate type.
> This was first noticed on GnuTLS 3.2.1 and has been verified to still apply to GnuTLS 3.2.21.
> The solution is to consider cred->get_cert_callback2 alongside cred->get_cert_callback in _gnutls_session_cert_type_supported().  A patch to do this has been appended; it has been confirmed to solve the problem.

Thanks. I've pushed the fix, as well as a test case to avoid that issue
in the future.


More information about the Gnutls-devel mailing list