Re: [PATCH] GnuTLS: Work around failure to check certs against IP addresses
Date: Sun, 13 Jul 2014 07:14:33 +0100
On Sun, 2014-07-13 at 01:09 +0200, Dan Fandrich wrote:
> On Sat, Jul 12, 2014 at 05:59:56PM +0100, David Woodhouse wrote:
> > The cipher list problem was because Fedora's GnuTLS doesn't have SRP
> > support. Given that gnutls_set_priority_direct() actually *gives* us a
> > pointer to the part of the string that it objected to, our error
> > handling could stand to be improved somewhat at that point.
> This is rather unfortunate. I'll improve the error message as you suggest,
> but I wonder what the best way is to determine whether SRP is supported
> or not. Is there a compile-time check that can be used, or will it have
> to be done through some kind of probing at run time?
Hm, not sure. Nikos?
Actually I suspect the nicest way to handle this would be for
gnutls_priority_set_direct() to accept something like '+?SRP' in a
priority string, where the ? indicates that if it doesn't recognise the
following keyword it should silently ignore it instead of bailing out.
-- David Woodhouse Open Source Technology Centre David.Woodhouse_at_intel.com Intel Corporation
- application/x-pkcs7-signature attachment: smime.p7s