gnutls-devel
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Bug#640639: libcurl: CURLE_SSL_CACERT_BADFILE error when all CAs in


From: Nikos Mavrogiannopoulos
Subject: Re: Bug#640639: libcurl: CURLE_SSL_CACERT_BADFILE error when all CAs in ca-certificates disabled
Date: Tue, 06 Sep 2011 12:40:16 +0200
User-agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.20) Gecko/20110820 Icedove/3.1.12

On 09/06/2011 12:16 PM, Simon Josefsson wrote:

| $ ls -l /etc/ssl/certs/ca-certificates.crt
| -rw-r--r-- 1 root root 0 Sep  2 00:07 /etc/ssl/certs/ca-certificates.crt

This is probably a libgnutls bug, but since I haven't pinned it down
I'm filing it here.  Known problem?

I recall similar problems when I also disabled all CAs on my machine
long time ago.  I suspect some software may be checking the return
code from the CA loading function, and will treat loading of 0
certificates as an error. Please try to track down the code that
triggers the error message to test this theory.

I believe it isn't that simple. I think the code that returns the
error in this case can be found here:

    https://github.com/bagder/curl/blob/master/lib/gtls.c#L377

... and it clearly checks for a negative return value for it to be an error.

Thanks for the pointer -- I managed to track it down, and installed a
patch for it:
http://git.savannah.gnu.org/cgit/gnutls.git/commit/?id=ab782d356200f44736edb687304d5e90438e2185

This is tricky. How do you distinguish bad pem encoding from zero certificates? In any case I think that gnutls_x509_crt_list_import() should fail on such error, since it was always like that. The fix should be in gnutls_certificate_set_x509_trust_mem() and friends. I'll try to check it out.

regards,
Nikos



reply via email to

[Prev in Thread] Current Thread [Next in Thread]