GnuTLS support in OpenConnect
David Woodhouse
dwmw2 at infradead.org
Mon Jun 11 12:00:17 EDT 2012
On Sun, 2012-06-10 at 20:57 -0400, Mike Miller wrote:
> >> Both of those are now fixed. There's an experimental patch against the
> >> GnuTLS 3.0 branch to provide Cisco-compatible DTLS support, at
> >> http://david.woodhou.se/gnutls-cisco-dtls-working-2.patch
> >
> > I'll include it in gnutls master.
>
> Hey guys, trying to build gnutls master tonight in an effort to help
> test OpenConnect but I'm failing at:
I've just pushed support to the repository for building with *both*
GnuTLS and OpenSSL simultaneously.
It'll use GnuTLS for the HTTPS connections, including all the PKCS#11
goodness.. Since that's all that's included in the libopenconnect
library, it's enough to fix the KDE licensing problem. And if your
version of GnuTLS doesn't include the Cisco DTLS support, it'll *also*
link the openconnect executable against OpenSSL and use that for DTLS.
So now you should have everything working¹ even if your GnuTLS is as old
as 2.12.16. Unfortunately, Fedora *still* isn't shipping GnuTLS 3.0, and
isn't even planning to do so in Fedora 18, citing the libnettle
requirement and alleged patent problems with the unconditional elliptic
curve support as reasons².
--
dwmw2
¹ The one thing that doesn't work with 2.12.x is warning the user that
their certificate is about to expire, and working around an OpenSSL
but on the server, *if* the private key comes from PKCS#11. Not many
people will care about that... and I could even fix the expiry check.
² https://bugzilla.redhat.com/show_bug.cgi?id=726886#c24
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 6171 bytes
Desc: not available
URL: <http://lists.infradead.org/pipermail/openconnect-devel/attachments/20120611/6e17dbc6/attachment.bin>
More information about the openconnect-devel
mailing list