[EMAIL PROTECTED] (Ludovic Courtès) writes: > Hi, > > Simon Josefsson <[EMAIL PROTECTED]> writes: > >> Is OpenPGP preferred over X.509? > > Nope, the certificate priority on both sides contains only X.509.
Oh. I see, bad theory then. Hm. Have you loaded the proper CA cert in the server? The server sends over some information about the known CA certs, and if that doesn't match the user's certificate, the client won't send its user certificate. >> If OpenPGP is preferred over X.509, >> and that has been negotiated, then X.509 certificates will not be sent. >> This is somewhat of a flaw in the TLS-OpenPGP draft IMHO, it should be >> possible to support both X.509 and OpenPGP at the same time. > > OTOH, if both parties prefer OpenPGP, then it seems logical to use > OpenPGP _and_ send OpenPGP certificates (if required). Yup. Problem is in gnutls-cli: the preference is hard-coded to either "x509 then openpgp" or "openpgp then x509". It should probably depend on which credentials are available: if x509 credentials are available, prefer x509. If openpgp credentials are available, prefer openpgp. If both are available, I'm not sure what the default should be. Most likely x509. >> Btw, is the 7-byte message wrong? Maybe it shouldn't be sent at all in >> this situation. > > The 7-byte message means "empty certificate"; it is produced by > `_gnutls_gen_x509_crt ()' because APR_CERT_LIST_LENGTH == 0. > > So, the root of the problem is that `_find_x509_cert ()' finds no usable > certificate (I'm using the "automatic" mode, i.e., with no call-backs). > And it finds nothing because it gets only _DATA_SIZE == 5 worth of data. Ok. I think you'll need to debug why find_x509_cert doesn't return an appropriate cert. My "check your power cable"-theory is that there is no user cert that match the CA cert that the server uses. /Simon _______________________________________________ Help-gnutls mailing list [email protected] http://lists.gnu.org/mailman/listinfo/help-gnutls
