On 2014-07-03 Atsuhito Kohda <[email protected]> wrote:
[...]
> Okay, I'm building the package now.
Thanks for the quick upload.
> But then I'm afraid libgnutls-dev should depends on
> libgnutls28-dev.
> I believe dependency on libgnutls-dev is much reasonable
> than dependency on libgnutls28-dev.
Yes, the current state is a little bit ugly, but could not be helped,
due incompatiblities.
> And I find that the new package seems to fix also #752610.
> Is this correct?
It might make reproducing the bug against the test-site irreproducible
but there is a real bug in lynx that needs fixing. lynx does not do
certification verification properly as it only fails if
GNUTLS_CERT_SIGNER_NOT_FOUND is set.
Compare what lynx does ...
-----------------
ret = gnutls_certificate_verify_peers2(handle->gnutls_state, &tls_status);
if (ret < 0 || (ret == 0 &&
tls_status & GNUTLS_CERT_SIGNER_NOT_FOUND)) {
/* more checks to be done
}
/ * otherwise we think we succeeded */
-----------------
with ex-rfc2818.c
-----------------
ret = gnutls_certificate_verify_peers2 (session, &status);
if (ret < 0)
{
printf ("Error\n");
return GNUTLS_E_CERTIFICATE_ERROR;
}
if (status & GNUTLS_CERT_INVALID)
printf ("The certificate is not trusted.\n");
if (status & GNUTLS_CERT_SIGNER_NOT_FOUND)
printf ("The certificate hasn't got a known issuer.\n");
/* do the same for other gnutls errors */
-----------------
with gnutls >= 3.1.3 this can be simplified, using
gnutls_certificate_verification_status_print().
cu Andreas
--
`What a good friend you are to him, Dr. Maturin. His other friends are
so grateful to you.'
`I sew his ears on from time to time, sure'
--
To UNSUBSCRIBE, email to [email protected]
with a subject of "unsubscribe". Trouble? Contact [email protected]
