gnutls ca store for opensuse 12.1

Joerg Mayer jmayer at loplof.de
Sun Apr 28 08:11:45 EDT 2013 

Hello,

this is against git head from today.

During configure:

checking for GNUTLS... yes
checking for gnutls_dtls_set_data_mtu... no
checking for gnutls_certificate_set_x509_system_trust... no
checking For location of system CA trust file... NOT FOUND
configure: error: Unable to find a standard system CA certificate file.
    Your GnuTLS requires a path to a CA certificate store. This is a file
    which contains a list of the Certificate Authorities which are trusted.
    Most distributions ship with this file in a standard location, but none
    the known standard locations exist on your system. You should provide a
    --with-system-cafile= argument to this configure script, giving the full
    path to a default CA certificate file for GnuTLS to use. Also, please
    send full details of your system, including 'uname -a' output and the
    location of the system CA certificate store on your system, to the
    openconnect-devel at lists.infradead.org mailing list.

jmayer at egg:~> uname -a
Linux egg 3.8.6-2-desktop #1 SMP PREEMPT Mon Apr 8 12:20:48 UTC 2013 (290a7e9) i686 i686 i386 GNU/Linux

jmayer at egg:~> lsb_release -a
LSB Version: n/a
Distributor ID: SUSE LINUX
Description: openSUSE 12.1 (i586)
Release:     12.1
Codename:    Asparagus

jmayer at egg:~/work/vpn/openconnect/build(master)> ../configure --with-system-cafile=/etc/ssl/ca-bundle.pem
[configure success]

During make:

make[1]: Entering directory `/home/jmayer/work/vpn/openconnect/build'
New version: v4.08-146-gf232096
  CC     libopenconnect_la-gnutls.lo
../gnutls.c: In function 'verify_signed_data':
../gnutls.c:590:3: error: implicit declaration of function 'gnutls_pk_to_sign' [-Werror=implicit-function-declaration]
   algo = gnutls_pk_to_sign(gnutls_privkey_get_pk_algorithm(privkey, NULL),
   ^
../gnutls.c:590:3: warning: nested extern declaration of 'gnutls_pk_to_sign' [-Wnested-externs]
cc1: some warnings being treated as errors
make[1]: *** [libopenconnect_la-gnutls.lo] Error 1
make[1]: Leaving directory `/home/jmayer/work/vpn/openconnect/build'
make: *** [all-recursive] Error 1

jmayer at egg:~/work/vpn/openconnect(master)> zypper se -s gnutls | grep ^i
i | gnutls                | package    | 3.0.3-5.11.1 | i586   | openSUSE-Update
i | libgnutls-devel       | package    | 3.0.3-5.11.1 | i586   | openSUSE-Update
i | libgnutls-extra-devel | package    | 3.0.3-5.11.1 | i586   | openSUSE-Update
i | libgnutls-extra28     | package    | 3.0.3-5.11.1 | i586   | openSUSE-Update
i | libgnutls28           | package    | 3.0.3-5.11.1 | i586   | openSUSE-Update

jmayer at egg:~/work/vpn/openconnect(master)> zypper se -s openssl | grep ^i
i | libopenssl-devel      | package    | 1.0.0k-34.20.1 | i586   | openSUSE-Update
i | libopenssl1_0_0       | package    | 1.0.0k-34.20.1 | i586   | openSUSE-Update
i | openssl               | package    | 1.0.0k-34.20.1 | i586   | openSUSE-Update

Creating and applying the following change got me further (full patch as attach)

diff --git a/configure.ac b/configure.ac
a/configure.ac
+    AC_CHECK_FUNC(gnutls_pk_to_sign,
+                [AC_DEFINE(HAVE_GNUTLS_PUBKEY_TO_SIGN, 1)], [])
     AC_CHECK_FUNC(gnutls_pubkey_verify_data2,
                 [AC_DEFINE(HAVE_GNUTLS_PUBKEY_VERIFY_DATA2, 1)], [])
diff --git a/gnutls.c b/gnutls.c
--- a/gnutls.c
-#ifdef HAVE_GNUTLS_PUBKEY_VERIFY_DATA2
+#if defined(HAVE_GNUTLS_PUBKEY_VERIFY_DATA2) && defined(HAVE_GNUTLS_PUBKEY_TO_SIGN)
        gnutls_sign_algorithm_t algo = GNUTLS_SIGN_RSA_SHA1; /* TPM keys */

Doing make now gets me a bit further:

  CC     openconnect-dtls.o
../dtls.c:129:2: error: #error This version of OpenSSL is known to be broken with Cisco DTLS.
 #error This version of OpenSSL is known to be broken with Cisco DTLS.
  ^
make[1]: *** [openconnect-dtls.o] Error 1

IMO, this is plain wrong for several reasons:
- This belongs into the configure check, not into the source file. Even then, it
  should probably be a prominent warning at the end of the process only, not an
  error. configure can also check for the gnutls version and either propose to use
  gnutls instead or even automagically fall back to using gnutls if present.
- As there will hopefully be an update one day to openssl that fixes the problem,
  it should always compile (not just via a define in the build) and complain at
  startup or (as currently also implemented ) during connection setup. As openssl
  bugfix releases do not require applications to be recompiled, openconnect should
  not require this either.
- The server I want to connect to will accept TLS connections as well, but without
  fiddling with the source I won't be able to connect at all (because of no binary),
  this looks again looks wrong for me.

jmayer at egg:~/work/vpn/openconnect/build(master)> CFLAGS=-DNO_BROKEN_DTLS_CHECK ../configure --with-system-cafile=/etc/ssl/ca-bundle.pem

This finally got me the binary I wanted :-)

Thanks for openconnect btw! Feel free to apply or modify+apply the patch to the
repo.

Ciao
       Jörg
--
Joerg Mayer                                           <jmayer at loplof.de>
We are stuck with technology when what we really want is just stuff that
works. Some say that should read Microsoft instead of technology.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: gnutls_pk_to_sign.patch
Type: text/x-diff
Size: 1150 bytes
Desc: not available
URL: <http://lists.infradead.org/pipermail/openconnect-devel/attachments/20130428/3c321569/attachment.bin>

More information about the openconnect-devel mailing list