Simon Josefsson wrote: [...] > This kind of feedback is very important, could you please describe in > more detail what documentation lead you wrong, and what mistakes you > did? The documentation isn't perfect, but in order to know where to > spend time improving it, it is useful to know where the weakest parts > are.
Well, the main issue with gnutls_certificate_set_x509_key_file() is that the documentation doesn't describe what error codes get returned if the key files couldn't be opened, or even that the return value is an error code at all: I eventually figured it out by calling the function with a bogus filename and inspecting the result (-64). The function index is very hard to use, too. That function is described in 'Core functions' instead of 'X.509 certificate functions', which is where I would expect it to be. You may want to consider having a unified index instead of (or as well as) dividing it into multiple pages. [...] > * Note that the priority is set on the client. The server does > * not use the algorithm's priority except for disabling > * algorithms that were not specified. [...] > The default cipher suite list > doesn't include ANON, so the server will disable that KX unless you > manually added it. [...] > Hm. I'd agree that you don't really get the full picture from that > docstring... Yes, the docs strongly imply that all algorithms are enabled by default (which makes sense). [...] >> Incidentally, my various early blundering attempts managed to get a number of >> things wrong, which caused gnutls-cli to fall over good and hard. Is this >> important? > > Yes, anything that fails hard is a serious bug. Please let me know! The simplest thing I did to make it go wrong was to accidentally pass an anonymous credentials structure to credentials_set() with CRD_CERTIFICATE. That caused both ends to segfault. Unfortunately I don't have the logs any more, but gnutls-cli did produce a number of assertion failures before it died. -- ┌── dg@cowlark.com ─── http://www.cowlark.com ─────────────────── │ "I have always wished for my computer to be as easy to use as my │ telephone; my wish has come true because I can no longer figure out how to │ use my telephone." --- Bjarne Stroustrup
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Help-gnutls mailing list [email protected] http://lists.gnu.org/mailman/listinfo/help-gnutls
