[gnutls-devel] gnutls ASSERT lines even when not using TLS on knot-resolver

Nikos Mavrogiannopoulos nmav at gnutls.org
Sun Jun 11 08:48:25 CEST 2017


On Sat, Jun 10, 2017 at 11:58 AM, Vladimír Čunát <vladimir.cunat at nic.cz> wrote:
> On 06/10/2017 11:26 AM, Nikos Mavrogiannopoulos wrote:
>
> On Thu, Jun 8, 2017 at 8:11 PM, Daniel Kahn Gillmor
> <dkg at fifthhorseman.net> wrote:
>
>      [tls] gnutls: (3) ASSERT: pk.c[_wrap_nettle_pk_verify]:750
>      [tls] gnutls: (3) ASSERT: pubkey.c[pubkey_verify_hashed_data]:1913
>
> Presumably this has to do with the fact that knot-resolver is using
> nettle to do DNSSEC verification, but i don't understand the linkage
> between GnuTLS and nettle well enough to know why this would be
> happening just because the gnutls logging function is set.
>
> My guess is that it uses the gnutls signing/verification functions
> rather than nettle directly. The knot developers may be in better
> position to answer that.
>
> Right, I didn't realize that gnutls is used indirectly for DNSSEC stuff
> (through libdnssec), so we started catching messages from more than just
> TLS.
>
> Still, how can I/we check if such assertion messages mean anything "wrong"
> is happening?  I can't see any pointers in the documentation around
> http://gnutls.org/manual/gnutls.html#Debugging-and-auditing

Only the messages through the audit interface may indicate something
wrong. Everything else is debugging information to assist when
something goes wrong.

regards,
Nikos



More information about the Gnutls-devel mailing list