[gnutls-devel] cert-type check ignores retrieve_function2
Rick van Rein
rick at vanrein.org
Fri Jan 9 19:24:40 CET 2015
Hello,
When setting up TLS with cert-type OpenPGP from a client, the server verifies if it supports the extension’s contents in _gnutls_session_cert_type_supported(). This function checks for cred->get_cert_callback but not cred->get_cert_callback2. As a result, servers setup for OpenPGP certificate credential callback with gnutls_certificate_set_retrieve_function2() are unable to use the OpenPGP certificate type.
This was first noticed on GnuTLS 3.2.1 and has been verified to still apply to GnuTLS 3.2.21.
The solution is to consider cred->get_cert_callback2 alongside cred->get_cert_callback in _gnutls_session_cert_type_supported(). A patch to do this has been appended; it has been confirmed to solve the problem.
An ugly workaround is to register a callback (for recognition of the extension support) and a callback2 (to override the previous callback), as on
https://github.com/vanrein/tlspool/commit/4938102d3d1b086491d147e6c8e4e2a02825fc12
The problem was tested to be circumvented with either this workaround or the patch below (or both).
I hope this is helpful.
Cheers,
-Rick
-------------- next part --------------
A non-text attachment was scrubbed...
Name: gnutls-3.2.21-certtype-extension-retrieve-function2.patch
Type: application/octet-stream
Size: 711 bytes
Desc: not available
URL: </pipermail/attachments/20150109/3f467c12/attachment.obj>
More information about the Gnutls-devel
mailing list