help-gnutls
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Help-gnutls] Re: SMTP TLS & Thunderbird

From: David Given
Subject: [Help-gnutls] Re: SMTP TLS & Thunderbird
Date: Mon, 12 Feb 2007 22:08:51 +0000
User-agent: Thunderbird 1.5.0.9 (X11/20061206) 
Simon Josefsson wrote:
[...]
> This kind of feedback is very important, could you please describe in
> more detail what documentation lead you wrong, and what mistakes you
> did?  The documentation isn't perfect, but in order to know where to
> spend time improving it, it is useful to know where the weakest parts
> are.

Well, the main issue with gnutls_certificate_set_x509_key_file() is that the
documentation doesn't describe what error codes get returned if the key files
couldn't be opened, or even that the return value is an error code at all: I
eventually figured it out by calling the function with a bogus filename and
inspecting the result (-64).

The function index is very hard to use, too. That function is described in
'Core functions' instead of 'X.509 certificate functions', which is where I
would expect it to be. You may want to consider having a unified index instead
of (or as well as) dividing it into multiple pages.

[...]
>   * Note that the priority is set on the client. The server does
>   * not use the algorithm's priority except for disabling
>   * algorithms that were not specified.
[...]
> The default cipher suite list
> doesn't include ANON, so the server will disable that KX unless you
> manually added it.
[...]
> Hm.  I'd agree that you don't really get the full picture from that
> docstring...

Yes, the docs strongly imply that all algorithms are enabled by default (which
makes sense).

[...]
>> Incidentally, my various early blundering attempts managed to get a number of
>> things wrong, which caused gnutls-cli to fall over good and hard. Is this
>> important?
> 
> Yes, anything that fails hard is a serious bug.  Please let me know!

The simplest thing I did to make it go wrong was to accidentally pass an
anonymous credentials structure to credentials_set() with CRD_CERTIFICATE.
That caused both ends to segfault. Unfortunately I don't have the logs any
more, but gnutls-cli did produce a number of assertion failures before it died.

-- 
┌── dg@cowlark.com ─── http://www.cowlark.com ───────────────────
│ "I have always wished for my computer to be as easy to use as my
│ telephone; my wish has come true because I can no longer figure out how to
│ use my telephone." --- Bjarne Stroustrup

Attachment: signature.asc
Description: OpenPGP digital signature

reply via email to
[Prev in Thread] Current Thread [Next in Thread]