10 Jun 12:55
Re: GnuTLS 2.3.12 - second release candidate for 2.4.0
From: Simon Josefsson <simon <at> josefsson.org>
Subject: Re: GnuTLS 2.3.12 - second release candidate for 2.4.0
Newsgroups: gmane.comp.encryption.gpg.gnutls.devel
Date: 2008-06-10 10:55:44 GMT
Subject: Re: GnuTLS 2.3.12 - second release candidate for 2.4.0
Newsgroups: gmane.comp.encryption.gpg.gnutls.devel
Date: 2008-06-10 10:55:44 GMT
"Nikos Mavrogiannopoulos" <n.mavrogiannopoulos <at> gmail.com> writes: > On Mon, Jun 9, 2008 at 12:57 AM, Daniel Kahn Gillmor > <dkg-debian.org <at> fifthhorseman.net> wrote: > >> It's not clear to me if you mean that this should be resolved in >> 2.3.12, or after 2.3.12, Nikos. It looks to me like it has *not* been >> resolved in 2.3.12 yet. In particular, it appears to fail open: when >> one userid is verified, it treats them all as verified, even User IDs >> that have no certifications other than self-signatures. > >> When i run the tests from >> http://trac.gnutls.org/cgi-bin/trac.cgi/attachment/ticket/32/openpgp-certs.tgz >> against the 2.3.12 packages in debian experimental, i get the >> following output: > > Hello Daniel! > I was talking about a recent commit in the git repository. I've also > modified your tests to check the gnutls behaviour (as it is now both > of your tests should fail). The new behaviour is to consider not > verified all openpgp keys that have at least one unsigned by a trusted > party user id. Nikos, the self-test doesn't seem to work, see below. /Simon make[1]: Entering directory `/home/jas/src/gnutls/tests/openpgp-certs' + srcdir=. + SERV='../../src/gnutls-serv -q' + CLI=../../src/gnutls-cli + unset RETCODE + echo 'Checking OpenPGP certificate verification' Checking OpenPGP certificate verification + ../../src/gnutls-serv -q -p 5556 --pgpcertfile ./srv-public-127.0.0.1-signed.gpg --pgpkeyfile ./srv-secret.gpg + sleep 2 + ../../src/gnutls-cli -p 5556 127.0.0.2 --pgpkeyring ./ca-public.gpg *** Fatal error: A TLS fatal alert has been received. *** Handshake has failed GNUTLS ERROR: A TLS fatal alert has been received. + ../../src/gnutls-cli -p 5556 localhost --pgpkeyring ./ca-public.gpg *** Fatal error: A TLS fatal alert has been received. *** Handshake has failed GNUTLS ERROR: A TLS fatal alert has been received. + kill %1 + wait + ../../src/gnutls-serv -q -p 5556 --pgpcertfile ./srv-public-localhost-signed.gpg --pgpkeyfile ./srv-secret.gpg + sleep 2 + echo + ../../src/gnutls-cli -p 5556 127.0.0.1 --pgpkeyring ./ca-public.gpg *** Fatal error: A TLS fatal alert has been received. *** Handshake has failed GNUTLS ERROR: A TLS fatal alert has been received. + ../../src/gnutls-cli -p 5556 127.0.0.2 --pgpkeyring ./ca-public.gpg *** Fatal error: A TLS fatal alert has been received. *** Handshake has failed GNUTLS ERROR: A TLS fatal alert has been received. + kill %1 + wait + ../../src/gnutls-serv -q -p 5556 --pgpcertfile ./srv-public-all-signed.gpg --pgpkeyfile ./srv-secret.gpg + sleep 2 + echo + ../../src/gnutls-cli -p 5556 127.0.0.1 --pgpkeyring ./ca-public.gpg *** Fatal error: A TLS fatal alert has been received. *** Handshake has failed GNUTLS ERROR: A TLS fatal alert has been received. + fail 'Connection to signed PGP certificate should have succeeded! (error code 1)' 1 + echo 'Failure: Connection to signed PGP certificate should have succeeded! (error code 1)' Failure: Connection to signed PGP certificate should have succeeded! (error code 1) + RETCODE=1 + ../../src/gnutls-cli -p 5556 127.0.0.2 --pgpkeyring ./ca-public.gpg *** Fatal error: A TLS fatal alert has been received. *** Handshake has failed GNUTLS ERROR: A TLS fatal alert has been received. + kill %1 + wait + exit 1 FAIL: testcerts =================================== 1 of 1 tests failed Please report to bug-gnutls <at> gnu.org =================================== make[1]: *** [check-TESTS] Error 1 make[1]: Leaving directory `/home/jas/src/gnutls/tests/openpgp-certs' make: *** [check-am] Error 2 jas <at> mocca:~/src/gnutls/tests/openpgp-certs$
RSS Feed