cURL / Mailing Lists / curl-library / Single Mail


Re: [PATCH] GnuTLS: Work around failure to check certs against IP addresses

From: Dan Fandrich <>
Date: Mon, 14 Jul 2014 22:33:45 +0200

On Mon, Jul 14, 2014 at 09:12:41PM +0200, Daniel Stenberg wrote:
> On Sun, 13 Jul 2014, David Woodhouse wrote:
> >>This is rather unfortunate. I'll improve the error message as you
> >>suggest, but I wonder what the best way is to determine whether
> >>SRP is supported or not. Is there a compile-time check that can
> >>be used, or will it have to be done through some kind of probing
> >>at run time?
> >
> >Hm, not sure. Nikos?
> Right now configure checks for gnutls_srp_verifier() being present
> and if so, #ifdef USE_TLS_SRP is being used in the source code for
> that condition.
> Good enough?

The problem I'm referring to is the one David reported right after I committed
447c31ce, which is that the priority list is rejected, presumably outright, if
GnuTLS was compiled without support for SRP. That would leave GnuTLS open to
using insecure ciphers in that case, which is what this code is there to try
to avoid.

I thought more about the idea I had for a run-time check and I can't think of
any down sides, so I've gone ahead and committed it. I'm not aware of any
other outstanding issues.

>>> Dan
List admin:
Received on 2014-07-14