[Help-gnutls] Re: X.509 authentication and `GNUTLS_CERT_REQUIRE'

Ludovic Courtès ludo at chbouib.org
Fri May 11 22:43:49 CEST 2007


Simon Josefsson <simon at josefsson.org> writes:

> Is OpenPGP preferred over X.509?

Nope, the certificate priority on both sides contains only X.509.

> If OpenPGP is preferred over X.509,
> and that has been negotiated, then X.509 certificates will not be sent.
> This is somewhat of a flaw in the TLS-OpenPGP draft IMHO, it should be
> possible to support both X.509 and OpenPGP at the same time.

OTOH, if both parties prefer OpenPGP, then it seems logical to use
OpenPGP _and_ send OpenPGP certificates (if required).

> I know that the GnuTLS recently default is to prefer OpenPGP over X.509.
> It is probably wrong, and I have reverted it in CVS HEAD.

Yes, since X.509 has been the default certificate type historically, it
should probably remain so.

> There may be other causes too, but this one is what I'm run into a few
> times.  Does this help?

Not much.  :-)

> Btw, is the 7-byte message wrong?  Maybe it shouldn't be sent at all in
> this situation.

The 7-byte message means "empty certificate"; it is produced by
`_gnutls_gen_x509_crt ()' because APR_CERT_LIST_LENGTH == 0.

So, the root of the problem is that `_find_x509_cert ()' finds no usable
certificate (I'm using the "automatic" mode, i.e., with no call-backs).
And it finds nothing because it gets only _DATA_SIZE == 5 worth of data.

That's as far as I could go for now.  :-)


More information about the Gnutls-help mailing list