[Help-gnutls] Re: SMTP TLS & Thunderbird

David Given dg at cowlark.com
Mon Feb 12 23:08:51 CET 2007 

Simon Josefsson wrote:
[...]
> This kind of feedback is very important, could you please describe in
> more detail what documentation lead you wrong, and what mistakes you
> did?  The documentation isn't perfect, but in order to know where to
> spend time improving it, it is useful to know where the weakest parts
> are.

Well, the main issue with gnutls_certificate_set_x509_key_file() is that the
documentation doesn't describe what error codes get returned if the key files
couldn't be opened, or even that the return value is an error code at all: I
eventually figured it out by calling the function with a bogus filename and
inspecting the result (-64).

The function index is very hard to use, too. That function is described in
'Core functions' instead of 'X.509 certificate functions', which is where I
would expect it to be. You may want to consider having a unified index instead
of (or as well as) dividing it into multiple pages.

[...]
>   * Note that the priority is set on the client. The server does
>   * not use the algorithm's priority except for disabling
>   * algorithms that were not specified.
[...]
> The default cipher suite list
> doesn't include ANON, so the server will disable that KX unless you
> manually added it.
[...]
> Hm.  I'd agree that you don't really get the full picture from that
> docstring...

Yes, the docs strongly imply that all algorithms are enabled by default (which
makes sense).

[...]
>> Incidentally, my various early blundering attempts managed to get a number of
>> things wrong, which caused gnutls-cli to fall over good and hard. Is this
>> important?
> 
> Yes, anything that fails hard is a serious bug.  Please let me know!

The simplest thing I did to make it go wrong was to accidentally pass an
anonymous credentials structure to credentials_set() with CRD_CERTIFICATE.
That caused both ends to segfault. Unfortunately I don't have the logs any
more, but gnutls-cli did produce a number of assertion failures before it died.

-- 
┌── dg@cowlark.com ─── http://www.cowlark.com ───────────────────
│ "I have always wished for my computer to be as easy to use as my
│ telephone; my wish has come true because I can no longer figure out how to
│ use my telephone." --- Bjarne Stroustrup

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 252 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20070212/3e33ab0f/attachment.pgp>

More information about the Gnutls-help mailing list