On Fri, 2014-04-11 at 15:05 +0200, Thomas Uhle wrote: > > The changes in gnutls.c from v5.01 to v5.02 concerning "support of CA > certificates from PKCS#11 tokens (with GnuTLS 3.2.7+)" break functionality > in openconnect at least if compiled with GnuTLS 2.12.x. Therefore, it also > affects libopenconnect2 (= 5.02-1) in Ubuntu 14.04LTS.
Thanks for the bug report. Please could you describe the exact failure mode? Can you provide output with '-v' both before and after the offending change? Is it that the old code would correctly find "supporting" certificates and include them on the wire, leading to a successful authentication... and the new code doesn't manage to find them? I'd be looking for the 'Adding supporting CA...' messages in the working code, and they'd be absent in the failing code, in that case. > I have tried to investigate on this issue with GDB and have come as far as > to gnutls.c:1517 where err is not the return value of any call to > gnutls_pkcs11_get_raw_issuer() or gnutls_x509_crt_import() within the > code guarded by > #if defined(HAVE_P11KIT) && defined(HAVE_GNUTLS_PKCS11_GET_RAW_ISSUER) Right. In your case, the value of 'err' is still the one from the gnutls_certificate_get_issuer() call. You seem to have identified this as the culprit: http://git.infradead.org/users/dwmw2/openconnect.git/commitdiff/b06b862f5 Please could you confirm that building that version from git is failing, and building the previous version from before that patch is working? I'd like to be sure it isn't one of the other changes in gnutls.c between v5.01 and v5.02. Before the patch in question, the logic was: - Call gnutls_certificate_get_issuer(). - If it failed, bail out. - Check if it returned nonsense, and bail out if so. After the patch, the logic should be: - Call gnutls_certificate_get_issuer(). - If it succeeded but returned nonsense, bail out. - If it failed but we can use get_raw_issuer(), try that. - If the last thing we tried failed, bail out. I can't see anything obviously wrong. -- dwmw2
smime.p7s
Description: S/MIME cryptographic signature
