cURL / Mailing Lists / curl-library / Single Mail

curl-library

Re: [PATCH] GnuTLS: Work around failure to check certs against IP addresses

From: David Woodhouse <dwmw2_at_infradead.org>
Date: Sun, 13 Jul 2014 07:14:33 +0100

On Sun, 2014-07-13 at 01:09 +0200, Dan Fandrich wrote:
> On Sat, Jul 12, 2014 at 05:59:56PM +0100, David Woodhouse wrote:
> > The cipher list problem was because Fedora's GnuTLS doesn't have SRP
> > support. Given that gnutls_set_priority_direct() actually *gives* us a
> > pointer to the part of the string that it objected to, our error
> > handling could stand to be improved somewhat at that point.
>
> This is rather unfortunate. I'll improve the error message as you suggest,
> but I wonder what the best way is to determine whether SRP is supported
> or not. Is there a compile-time check that can be used, or will it have
> to be done through some kind of probing at run time?

Hm, not sure. Nikos?

Actually I suspect the nicest way to handle this would be for
gnutls_priority_set_direct() to accept something like '+?SRP' in a
priority string, where the ? indicates that if it doesn't recognise the
following keyword it should silently ignore it instead of bailing out.

-- 
David Woodhouse                            Open Source Technology Centre
David.Woodhouse_at_intel.com                              Intel Corporation

-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette: http://curl.haxx.se/mail/etiquette.html

  • application/x-pkcs7-signature attachment: smime.p7s
Received on 2014-07-13