[Help-gnutls] Re: SMTP TLS & Thunderbird

Simon Josefsson simon at josefsson.org
Mon Feb 12 10:03:14 CET 2007


David Given <dg at cowlark.com> writes:

> Simon Josefsson wrote:
> [...]
>> Many programs refuse to work if the server doesn't have a X.509
>> certificate, so yes, I'm afraid you'll have to add that to your
>> server, or modify a lot of clients.
>
> It's all working now, thanks. Although I will admit that setting all the code
> up was not pretty --- the documentation's very hazy on what the various
> functions return if something goes wrong (such as not being able to read the
> keyfiles)

This kind of feedback is very important, could you please describe in
more detail what documentation lead you wrong, and what mistakes you
did?  The documentation isn't perfect, but in order to know where to
spend time improving it, it is useful to know where the weakest parts
are.

> and I've found that in order to make it fall back on anonymous
> authentication if the keys don't work I have to call
> gnutls_kx_set_priority(), which surprises me as the documentation
> swears blind that it's ignored on servers.

Hm, the documentation for that function says:

  * Note that the priority is set on the client. The server does
  * not use the algorithm's priority except for disabling
  * algorithms that were not specified.

I suspect that is what happened.  Did you call
gnutls_set_default_priority() first, and thought it would be
sufficient to get ANON to work?  It isn't, if you want ANON to work,
you must call gnutls_kx_set_priority().  The default cipher suite list
doesn't include ANON, so the server will disable that KX unless you
manually added it.

Hm.  I'd agree that you don't really get the full picture from that
docstring...

I have had similar problems recently -- SRP/PSK isn't used unless you
set them early in gnutls_kx_set_priority.  It would be better if
SRP/PSK was the first default KX's, and they disabled themselves
unless there were SRP/PSK credentials available.  I think that would
better match the preferred logic by most applications.  Few programs
will prefer ANON cipher suites if it set a valid and working SRP/PSK
credential.

I think the current logic is both sub-optimal and under-documented.
It would be better if gnutls_set_default_priority() enabled more
ciphers by default (e.g., PSK/SRP and maybe ANON), and that other
parts of GnuTLS disable them if there aren't credentials available.
In any case, the documentation should make it clear that you need to
tinker with gnutls_*_set_priority to enable certain functionality.

> Incidentally, my various early blundering attempts managed to get a number of
> things wrong, which caused gnutls-cli to fall over good and hard. Is this
> important?

Yes, anything that fails hard is a serious bug.  Please let me know!

/Simon





More information about the Gnutls-help mailing list