cURL / Mailing Lists / curl-library / Single Mail


Re: [PATCH] GnuTLS: Work around failure to check certs against IP addresses

From: Dan Fandrich <>
Date: Mon, 14 Jul 2014 20:43:11 +0200

On Sun, Jul 13, 2014 at 07:14:33AM +0100, David Woodhouse wrote:
> On Sun, 2014-07-13 at 01:09 +0200, Dan Fandrich wrote:
> > On Sat, Jul 12, 2014 at 05:59:56PM +0100, David Woodhouse wrote:
> > > The cipher list problem was because Fedora's GnuTLS doesn't have SRP
> > > support. Given that gnutls_set_priority_direct() actually *gives* us a
> > > pointer to the part of the string that it objected to, our error
> > > handling could stand to be improved somewhat at that point.
> >
> > This is rather unfortunate. I'll improve the error message as you suggest,
> > but I wonder what the best way is to determine whether SRP is supported
> > or not. Is there a compile-time check that can be used, or will it have
> > to be done through some kind of probing at run time?
> Hm, not sure. Nikos?
> Actually I suspect the nicest way to handle this would be for
> gnutls_priority_set_direct() to accept something like '+?SRP' in a
> priority string, where the ? indicates that if it doesn't recognise the
> following keyword it should silently ignore it instead of bailing out.

This is probably something that should be solved somehow before this release as
well, as it will completely break SSL on GnuTLS systems that have SRP
configured away. Maybe I'll just add an #ifdef around the SRP part of the
priority string so it can be compiled away if desired, and just document this
in KNOWN_BUGS until we have a solution to solve it at run time.

Or, maybe the solution is to just look at the error offset returned from
gnutls_priority_set_direct() and if it's +SRP, just call it again without the
SRP. That could be a reliable way around this.

>>> Dan
List admin:
Received on 2014-07-14