gnutls ca store for opensuse 12.1

David Woodhouse dwmw2 at infradead.org
Fri May 31 10:00:32 EDT 2013 

On Sun, 2013-04-28 at 14:11 +0200, Joerg Mayer wrote:
> Hello,
> 
> this is against git head from today.

Apologies for delayed reply. Some messages which came in while I was on
paternity leave got ignored a little bit... :)

> During configure:
> 
> checking for GNUTLS... yes
> checking for gnutls_dtls_set_data_mtu... no
> checking for gnutls_certificate_set_x509_system_trust... no
> checking For location of system CA trust file... NOT FOUND
> configure: error: Unable to find a standard system CA certificate file.
>     Your GnuTLS requires a path to a CA certificate store. This is a file
>     which contains a list of the Certificate Authorities which are trusted.

It looks like upstream GnuTLS will fail similarly, right? I've
added /etc/ssl/ca-bundle.pem to my list, as you suggest. Nikos will
presumably want to do the same?

http://git.infradead.org/users/dwmw2/openconnect.git/commitdiff/d5381b38


> diff --git a/configure.ac b/configure.ac
> a/configure.ac
> +    AC_CHECK_FUNC(gnutls_pk_to_sign,
> +                [AC_DEFINE(HAVE_GNUTLS_PUBKEY_TO_SIGN, 1)], [])
>      AC_CHECK_FUNC(gnutls_pubkey_verify_data2,
>                  [AC_DEFINE(HAVE_GNUTLS_PUBKEY_VERIFY_DATA2, 1)], [])
> diff --git a/gnutls.c b/gnutls.c
> --- a/gnutls.c
> -#ifdef HAVE_GNUTLS_PUBKEY_VERIFY_DATA2
> +#if defined(HAVE_GNUTLS_PUBKEY_VERIFY_DATA2) && defined(HAVE_GNUTLS_PUBKEY_TO_SIGN)
>         gnutls_sign_algorithm_t algo = GNUTLS_SIGN_RSA_SHA1; /* TPM keys */

In fact we might as well not bother checking for
gnutls_pubkey_verify_data2() at all. We'll check *only* for
gnutls_pk_to_sign(). If that doesn't exist, then we'll just use
gnutls_pubkey_verify_data() as before.

http://git.infradead.org/users/dwmw2/openconnect.git/commitdiff/221948f8

> Doing make now gets me a bit further:
> 
>   CC     openconnect-dtls.o
> ../dtls.c:129:2: error: #error This version of OpenSSL is known to be broken with Cisco DTLS.
>  #error This version of OpenSSL is known to be broken with Cisco DTLS.
>   ^
> make[1]: *** [openconnect-dtls.o] Error 1
> 
> IMO, this is plain wrong for several reasons:

Yeah, I was being lazy and pushing the burden onto the people who are
still using OpenSSL when they should have switched to GnuTLS (which is
in fact the default now, since 5.00).

http://git.infradead.org/users/dwmw2/openconnect.git/commitdiff/a899e355

Thanks for reporting these.

-- 
David Woodhouse                            Open Source Technology Centre
David.Woodhouse at intel.com                              Intel Corporation
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 5745 bytes
Desc: not available
URL: <http://lists.infradead.org/pipermail/openconnect-devel/attachments/20130531/b5248f6c/attachment.bin>

More information about the openconnect-devel mailing list