Handshake and verification

lfinsto at gwdg.de lfinsto at gwdg.de
Wed Dec 9 15:06:57 CET 2009 

Hello,

I've been working on my client-server pair with X.509 authentication,
using the code from the examples in the manuals.  I've put the code for
handling the connections into a (POSIX) thread function, i.e., one passed
to `pthread_create'.  In order to test this, I've made it possible to call
the client with a `--sleep' argument to put it to sleep for a few seconds.
 I call it several times and put it into the background, so several
clients can be running and connected to the server at the same time.

I got this error:

optdbsrv: ath.c:186: _gcry_ath_mutex_lock: Assertion `*lock ==
((ath_mutex_t) 0)' failed.
Aborted

I was able to fix it by locking and unlocking a mutex before and after the
call to `gnutls_handshake'.

I have determined that I don't have the file `ath.c' on my system, so I
will have to download the source distribution of `libgcrypt'.  It would be
nicer if one didn't have to lock and unlock a mutex.  If it can't be
avoided, perhaps it would be good to document this. (I'll glad to do this
myself, if I can).

I think my server-client pair would make a good example and test case, but
I need to discuss some things with my employer regarding copyright,
permission to publish, etc., and I also haven't gotten the papers from the
FSF yet.

I've tried downloading the sources from the git repository using the
method for developers, but it didn't work.  Perhaps I need to register a
public key somewhere;  I haven't had a chance to try to find out what I
need to do yet.

*********************

This is my workaround for handling proxy certificates (based on example
from manual and modified):

 /* Do the actual verification.  */

  gnutls_x509_crt_verify (crt, &issuer, 1, 0, &output);

if (output & GNUTLS_CERT_INVALID)
    {
      if (output & GNUTLS_CERT_SIGNER_NOT_FOUND)
      {
        fprintf (stderr, "Not trusted");
        fprintf (stderr, ": no issuer was found");
      }

      if (output & GNUTLS_CERT_SIGNER_NOT_CA)
      {
        fprintf (stderr, "Trusted");
        fprintf (stderr, ": issuer is not a CA\n");
        fprintf (stderr, "This isn't so important, the previous
certificate might be a proxy.");
      }
      fprintf (stderr, "\n");
    }
  else
    fprintf (stderr, "Trusted\n");

It would be neater if `GNUTLS_CERT_INVALID' wasn't necessarily true just
because `GNUTLS_CERT_SIGNER_NOT_CA' is, but it doesn't really cause any
harm.  If anyone implements any special handling for proxy certificates,
please let me know so I can test them.

Thanks,

Laurence

------------------------------------------------------------
Laurence Finston
Gesellschaft fuer wissenschaftliche Datenverarbeitung mbH
Am Fassberg 11
37077 Goettingen

Telefon: 	+49 551 201-1882
E-Mail: 	lfinsto at gwdg.de

More information about the Gnutls-devel mailing list