[Help-gnutls] Re: X.509 authentication and `GNUTLS_CERT_REQUIRE'

[Simon Josefsson]

ludo at chbouib.org (Ludovic Courtès) writes:

> Hi,
>
> Simon Josefsson <simon at josefsson.org> writes:
>
>> Is OpenPGP preferred over X.509?
>
> Nope, the certificate priority on both sides contains only X.509.

Oh.  I see, bad theory then.  Hm.  Have you loaded the proper CA cert in
the server?  The server sends over some information about the known CA
certs, and if that doesn't match the user's certificate, the client
won't send its user certificate.

>> If OpenPGP is preferred over X.509,
>> and that has been negotiated, then X.509 certificates will not be sent.
>> This is somewhat of a flaw in the TLS-OpenPGP draft IMHO, it should be
>> possible to support both X.509 and OpenPGP at the same time.
>
> OTOH, if both parties prefer OpenPGP, then it seems logical to use
> OpenPGP _and_ send OpenPGP certificates (if required).

Yup.  Problem is in gnutls-cli: the preference is hard-coded to either
"x509 then openpgp" or "openpgp then x509".  It should probably depend
on which credentials are available: if x509 credentials are available,
prefer x509.  If openpgp credentials are available, prefer openpgp.  If
both are available, I'm not sure what the default should be.  Most
likely x509.

>> Btw, is the 7-byte message wrong?  Maybe it shouldn't be sent at all in
>> this situation.
>
> The 7-byte message means "empty certificate"; it is produced by
> `_gnutls_gen_x509_crt ()' because APR_CERT_LIST_LENGTH == 0.
>
> So, the root of the problem is that `_find_x509_cert ()' finds no usable
> certificate (I'm using the "automatic" mode, i.e., with no call-backs).
> And it finds nothing because it gets only _DATA_SIZE == 5 worth of data.

Ok.  I think you'll need to debug why find_x509_cert doesn't return an
appropriate cert.  My "check your power cable"-theory is that there is
no user cert that match the CA cert that the server uses.

/Simon