[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Help-gnutls] Re: Handling "normal" peer errors on invalid certs
From: |
Simon Josefsson |
Subject: |
[Help-gnutls] Re: Handling "normal" peer errors on invalid certs |
Date: |
Tue, 12 Jun 2007 18:27:31 +0200 |
User-agent: |
Gnus/5.110007 (No Gnus v0.7) Emacs/22.0.95 (gnu/linux) |
Philip Kovacs <address@hidden> writes:
> Hi. I'm new to GnuTLS. I'm using it for a client-server library and
> I have a fairly basic question.
Hi! Welcome.
> When my server is configured to require x.509 client certificates,
> and the client either fails to send one, or sends an invalid one,
> the server detects this error during its gnuttls_handshake() and
> I have the server break off the connection, as desired.
>
> The client's gnutls_handshake(), upon server break-off is returning
> either GNUTLS_E_PUSH_ERROR or GNUTLS_E_UNEXPECTED_PACKET_LENGTH.
>
> The server situation is similar: if the client detects an invalid
> server certificate, I have the client break off the connection.
> The server then sees GNUTLS_E_UNEXPECTED_PACKET_LENGTH in its (first)
> gnutls_record_recv().
>
> Is there something more I need to do in order to close the communication
> down more "gracefully" in situations where certificate failures are seen?
>
> Just seems odd to be handling GNUTLS_E_PUSH_ERROR or
> GNUTLS_E_UNEXPECTED_PACKET_LENGTH "normally" when the other side doesn't
> like the certificate.
I suspect the error handling here is simply sub-optimal, and that you
aren't doing anything wrong.
Creating a self-test inside GnuTLS tests/ that trigger this situation
would help. Having that self-test would help us test what kind of
errors really should be returned in this situation, and how to return
them. I can't commit to work on this now, so I added the following to
doc/TODO:
- Investigate why failed client authentication results in weird error
messages. See http://permalink.gmane.org/gmane.network.gnutls.general/875
If you or others wants to work on it, you are very welcome to do so.
/Simon