[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Help-gnutls] Re: X.509 authentication and `GNUTLS_CERT_REQUIRE'
From: |
Ludovic Courtès |
Subject: |
[Help-gnutls] Re: X.509 authentication and `GNUTLS_CERT_REQUIRE' |
Date: |
Fri, 11 May 2007 22:43:49 +0200 |
User-agent: |
Gnus/5.110006 (No Gnus v0.6) Emacs/21.4 (gnu/linux) |
Hi,
Simon Josefsson <address@hidden> writes:
> Is OpenPGP preferred over X.509?
Nope, the certificate priority on both sides contains only X.509.
> If OpenPGP is preferred over X.509,
> and that has been negotiated, then X.509 certificates will not be sent.
> This is somewhat of a flaw in the TLS-OpenPGP draft IMHO, it should be
> possible to support both X.509 and OpenPGP at the same time.
OTOH, if both parties prefer OpenPGP, then it seems logical to use
OpenPGP _and_ send OpenPGP certificates (if required).
> I know that the GnuTLS recently default is to prefer OpenPGP over X.509.
> It is probably wrong, and I have reverted it in CVS HEAD.
Yes, since X.509 has been the default certificate type historically, it
should probably remain so.
> There may be other causes too, but this one is what I'm run into a few
> times. Does this help?
Not much. :-)
> Btw, is the 7-byte message wrong? Maybe it shouldn't be sent at all in
> this situation.
The 7-byte message means "empty certificate"; it is produced by
`_gnutls_gen_x509_crt ()' because APR_CERT_LIST_LENGTH == 0.
So, the root of the problem is that `_find_x509_cert ()' finds no usable
certificate (I'm using the "automatic" mode, i.e., with no call-backs).
And it finds nothing because it gets only _DATA_SIZE == 5 worth of data.
That's as far as I could go for now. :-)
Thanks,
Ludovic.
- [Help-gnutls] X.509 authentication and `GNUTLS_CERT_REQUIRE', Ludovic Courtès, 2007/05/11
- [Help-gnutls] Re: X.509 authentication and `GNUTLS_CERT_REQUIRE', Simon Josefsson, 2007/05/11
- [Help-gnutls] Re: X.509 authentication and `GNUTLS_CERT_REQUIRE',
Ludovic Courtès <=
- [Help-gnutls] Re: X.509 authentication and `GNUTLS_CERT_REQUIRE', Simon Josefsson, 2007/05/12
- [Help-gnutls] Re: X.509 authentication and `GNUTLS_CERT_REQUIRE', Ludovic Courtès, 2007/05/12
- [Help-gnutls] Re: X.509 authentication and `GNUTLS_CERT_REQUIRE', Simon Josefsson, 2007/05/13
- [Help-gnutls] Re: X.509 authentication and `GNUTLS_CERT_REQUIRE', Ludovic Courtès, 2007/05/14
- [Help-gnutls] Re: X.509 authentication and `GNUTLS_CERT_REQUIRE', Simon Josefsson, 2007/05/14
- [Help-gnutls] Re: X.509 authentication and `GNUTLS_CERT_REQUIRE', Ludovic Courtès, 2007/05/14