[gnutls-devel] GnuTLS | gnutls-cli (Version 3.8.10) on macOS aborts with "Curve 1.3.36.3.3.2.8.1.1.7 is not supported" and assertions when server cert uses brainpoolP256r1 (#1767)

[Read-only notification of GnuTLS library development activities]

Daiki Ueno commented: https://gitlab.com/gnutls/gnutls/-/issues/1767#note_2912678352


> 1. Can maintainers confirm whether gnutls (which versions) is expected to support RFC‑5639 Brainpool curves?

No, and it is not easy to support, as the underlying crypto library we use (Nettle) doesn't support it. That said, we can consider adding them if you file an issue for the enhancement.

> 2. If yes: what exact build dependencies and configure flags are required to enable brainpool support on macOS?

N/A

> 3. If this is a bug: please consider a patch to avoid ASSERTs and return a clean error path when encountering unknown curve OIDs in certificates.

To be clear: ASSERTs are only shown if you increase debug level; by default it shouldn't be printed. Also note that here they do not imply "assertion failure" (unlike the `assert` macro), but just print debugging information.

I agree that we probably should return a more friendly error message in that case, rather than `*** Fatal error: Fehler im Zertifikat`.

-- 
Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1767#note_2912678352
You're receiving this email because of your account on gitlab.com.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnutls-devel/attachments/20251125/c0950008/attachment-0001.html>