[gnutls-devel] GnuTLS | Documentation and/or behaviour around empty passwords is confusing (#1730)

Read-only notification of GnuTLS library development activities gnutls-devel at lists.gnutls.org
Tue Aug 12 14:55:49 CEST 2025 


Alicja Kario (@mention me if you need reply) created an issue: https://gitlab.com/gnutls/gnutls/-/issues/1730



(using gnutls-3.8.10)

If I perform export to PKCS#12 with `--password ''` then the resulting file is unreadable by NSS and OpenSSL. It's necessary to use the `--empty-password` switch to do that.

Frankly, I would say that:
1. that is surprising behaviour (doesn't match what NSS or OpenSSL do)
2. it not at all clear from the man page that it is necessary for interoperability.

The man page states

```
       --password=str Password to use.

       You can use this option to specify the password in the command line in‐
       stead of reading it from the tty. Note, that the command line arguments
       are available for view in others in the system. Specifying password as
       '' is the same as specifying no password.

       --null-password Enforce a NULL password.

       This option enforces a NULL password. This is different than the empty
       or no password in schemas like PKCS #8.

       --empty-password Enforce an empty password.

       This option enforces an empty password. This is different than the NULL
       or no password in schemas like PKCS #8.
```

Which suggests that there are three ways of encoding no password: the "no password", "empty password", and "NULL password". In reality there are only two: either the PBKDF gets a string of length zero, or a two byte string that encode the NULL character using UCS-2 (which is more standard behaviour).

While I won't insist on changing the behaviour of `--password ''`, I think we can make the man page more descriptive about what is happening and what option is necessary for interoperability.

-- 
Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1730
You're receiving this email because of your account on gitlab.com.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnutls-devel/attachments/20250812/f3def379/attachment.html>

More information about the Gnutls-devel mailing list