2.3.x regression in auth_cert.c:call_get_cert_callback

Joe Orton joe at manyfish.co.uk
Mon Mar 31 12:47:29 CEST 2008

On Mon, Mar 31, 2008 at 12:28:29PM +0200, Simon Josefsson wrote:
> Joe Orton <joe at manyfish.co.uk> writes:
> > Thanks.  With this applied and the new DN functions in 2.3.x, the last 
> > of the neon regressions relative to OpenSSL are now fixed and for the 
> > first time I get a 100% pass rate with neon's SSL test suite.  And due 
> > to the external signing callback in GnuTLS, neon supports one major 
> > feature which is not supported with OpenSSL - PKCS#11.
> >
> > So, nice work, guys :)
> Cool!  Can I build and run the neon self test suite relatively easy
> myself?  It seems it checks a lot TLS stuff, and it might be useful to
> run before releasing v2.4.0 to catch silly mistakes.

svn co http://svn.webdav.org/repos/projects/neon/trunk/
cd trunk
./configure --with-ssl=gnutls --with-libs=/path/to/gnutls/install/root
make check TESTS=ssl

should be sufficient; let me know if not.

You need to have pakchois (http://www.manyfish.co.uk/pakchois/) and NSS 
installed in standard places to be able to test the PKCS#11 interfaces; 
the test suite uses the NSS software token.

> > 11. load_client_cert...... WARNING: no friendly name given
> >     ...................... pass (with 1 warning)
> ...
> > 53. pkcs11_dsa............ server child failed: SSL accept failed: SSL error: The scanning of a large integer has failed.
> Does this refer to anything we should improve in gnutls?

For 11, possibly yes - OpenSSL allows you to retrieve the friendly name 
of an encrypted PKCS#12 cert without decrypting it; I couldn't work out 
how do to that with GnuTLS.

For 53, I don't know, I haven't looked into this yet, I suspect it's a 
bug in neon or the neon test suite (hence the test is marked as expected 
to fail).


More information about the Gnutls-devel mailing list