Hi, Simon Josefsson <[EMAIL PROTECTED]> writes:
> Is OpenPGP preferred over X.509? Nope, the certificate priority on both sides contains only X.509. > If OpenPGP is preferred over X.509, > and that has been negotiated, then X.509 certificates will not be sent. > This is somewhat of a flaw in the TLS-OpenPGP draft IMHO, it should be > possible to support both X.509 and OpenPGP at the same time. OTOH, if both parties prefer OpenPGP, then it seems logical to use OpenPGP _and_ send OpenPGP certificates (if required). > I know that the GnuTLS recently default is to prefer OpenPGP over X.509. > It is probably wrong, and I have reverted it in CVS HEAD. Yes, since X.509 has been the default certificate type historically, it should probably remain so. > There may be other causes too, but this one is what I'm run into a few > times. Does this help? Not much. :-) > Btw, is the 7-byte message wrong? Maybe it shouldn't be sent at all in > this situation. The 7-byte message means "empty certificate"; it is produced by `_gnutls_gen_x509_crt ()' because APR_CERT_LIST_LENGTH == 0. So, the root of the problem is that `_find_x509_cert ()' finds no usable certificate (I'm using the "automatic" mode, i.e., with no call-backs). And it finds nothing because it gets only _DATA_SIZE == 5 worth of data. That's as far as I could go for now. :-) Thanks, Ludovic. _______________________________________________ Help-gnutls mailing list [email protected] http://lists.gnu.org/mailman/listinfo/help-gnutls
