[Help-gnutls] Re: Verifying certificates with IPv6 crashes

Simon Josefsson simon at josefsson.org
Mon Jan 29 20:16:16 CET 2007

John Brooks <john at yarbbles.com> writes:

> #0  0xb76f6e5d in gnutls_auth_get_type () from /usr/lib/libgnutls.so.13
> #1  0xb76fb42d in gnutls_certificate_verify_peers2 () from
> /usr/lib/libgnutls.so.13
> #2  0xb7748d61 in ModuleSSLGnuTLS::VerifyCertificate (this=0x80c7050,
> session=0x80c70c8, user=0x8110f9c)
>    at m_ssl_gnutls.cpp:668
> This happens only on sockets that are IPv6; IPv4 works fine. Since it
> crashes inside gnutls, my best guess is that something isn't properly
> handling IPv6 there; I went over our code quickly and didn't see
> anything that involved the IP that might be a problem..
> If you need more specifics on our implementation, see:
> http://svn.inspircd.org/index.cgi/trunk/inspircd/src/modules/extra/m_ssl_gnutls.cpp?view=co
> (Specifically, void VerifyCertificate(issl_session* session,
> Extensible* user))

The GnuTLS library is generally not aware of IPv4 vs IPv6 differences,
so without more information, I'm not sure that is the best theory.
The function you indicate is quite short:

  int server = session->security_parameters.entity == GNUTLS_SERVER ? 0 : 1;

    _gnutls_map_kx_get_cred (_gnutls_cipher_suite_get_kx_algo
			      current_cipher_suite), server);

If code like that crashes, it probably means that the session variable
is NULL or garbled.

Please build a local copy of GnuTLS and re-run 'gdb' single-stepping
before the crash.  Running the binary under valgrind might help too.

Btw, have you looked at the GnuTLS C++ library?  If you are using C++,
it might be more appropriate.  However, few have tried it, and there
are no documentation or examples, so you are on your on. :)


More information about the Gnutls-help mailing list