2.3.x regression in auth_cert.c:call_get_cert_callback
simon at josefsson.org
Mon Mar 31 12:28:29 CEST 2008
Joe Orton <joe at manyfish.co.uk> writes:
> On Sat, Mar 29, 2008 at 12:08:46PM +0200, Nikos Mavrogiannopoulos wrote:
>> Joe Orton wrote:
>>> GnuTLS now fails if st->key.x509 is NULL; if I avoid that code path as
>>> below, it works again. Is this not the correct way to be using the
>>> interface? There is nothing much else that could be returned in key.x509
>>> for this case, AFAICS.
>> You're right. I've reverted to the old behaviour.
> Thanks. With this applied and the new DN functions in 2.3.x, the last
> of the neon regressions relative to OpenSSL are now fixed and for the
> first time I get a 100% pass rate with neon's SSL test suite. And due
> to the external signing callback in GnuTLS, neon supports one major
> feature which is not supported with OpenSSL - PKCS#11.
> So, nice work, guys :)
Cool! Can I build and run the neon self test suite relatively easy
myself? It seems it checks a lot TLS stuff, and it might be useful to
run before releasing v2.4.0 to catch silly mistakes.
> 11. load_client_cert...... WARNING: no friendly name given
> ...................... pass (with 1 warning)
> 53. pkcs11_dsa............ server child failed: SSL accept failed: SSL error: The scanning of a large integer has failed.
Does this refer to anything we should improve in gnutls?
More information about the Gnutls-devel