[Help-gnutls] Re: X.509 authentication and `GNUTLS_CERT_REQUIRE'
ludo at chbouib.org
Fri May 11 22:43:49 CEST 2007
Simon Josefsson <simon at josefsson.org> writes:
> Is OpenPGP preferred over X.509?
Nope, the certificate priority on both sides contains only X.509.
> If OpenPGP is preferred over X.509,
> and that has been negotiated, then X.509 certificates will not be sent.
> This is somewhat of a flaw in the TLS-OpenPGP draft IMHO, it should be
> possible to support both X.509 and OpenPGP at the same time.
OTOH, if both parties prefer OpenPGP, then it seems logical to use
OpenPGP _and_ send OpenPGP certificates (if required).
> I know that the GnuTLS recently default is to prefer OpenPGP over X.509.
> It is probably wrong, and I have reverted it in CVS HEAD.
Yes, since X.509 has been the default certificate type historically, it
should probably remain so.
> There may be other causes too, but this one is what I'm run into a few
> times. Does this help?
Not much. :-)
> Btw, is the 7-byte message wrong? Maybe it shouldn't be sent at all in
> this situation.
The 7-byte message means "empty certificate"; it is produced by
`_gnutls_gen_x509_crt ()' because APR_CERT_LIST_LENGTH == 0.
So, the root of the problem is that `_find_x509_cert ()' finds no usable
certificate (I'm using the "automatic" mode, i.e., with no call-backs).
And it finds nothing because it gets only _DATA_SIZE == 5 worth of data.
That's as far as I could go for now. :-)
More information about the Gnutls-help