Trac is being migrated to new services! Issues can be found in our new YouTrack instance and WIKI pages can be found on our website.

Version 6 (modified by wehlhard, 17 years ago) (diff)

bug

Issues

  • Design issue: In my design, the Certificate struct has an ptr to a GnuTLS certificate structure to hold its internal data. This has the consequence that the SSL connection system and X.509 handling must both be provided by GnuTLS; if, say, SILC provides the X.509 handling, and GnuTLS the SSL connections, everything grinds to a gruesome segfaulty halt.

Should I address this? The only workaround I can think of is to keep a pointer to the PEM-formatted certificate in the Certificate struct instead, but that will require any consumers of the Certificate to have PEM encoding/decoding and constantly decode it from PEM for every use. (June 19)

  • How to ensure that VerificationRequests? get properly trashed in unusual conditions (such as canceling an SSL connection)? (June 26)

Resolved Issues

  • It looks like PKCS12 (the certificate import/export format) is supported by both libNSS and GnuTLS.
  • Jabber "connect with fd" problem solved by porting a change from soc.2007.xmpp (29 May, June 26)
  • Why doesn't a "not accepted" on a certificate cause the connection to fail? (26 June)

TODO

  • General paranoia
  • Look at how the SILC prpl does its key management, especially the organization of the API used to check certs and interact with the user to verify them.
  • Add some way of passing useful error messages back up out of the SSL interface (23 May)
  • Fix purple_ssl_init in sslconn.c; it doesn't do anything (23 May)
    • Talking to nosnilmot suggests that this ought to just be removed outright (24 May)
  • Figure out libNSS everything. (25 May)
  • Why am I getting single-byte serial numbers from servers? (25 May)
  • Work out how to use Glib functions for time checking on certificates. (29 May)
  • Stall the timeouts on the TCP connection while waiting for user input on SSL? (29 May)
  • Worry about ensuring that plugins don't kill in-use ciphers/certschemes when unloaded? (29 May)
  • GnuTLS and NSS should probably be configured to use g_malloc and g_free for paranoia's sake (1 June)
  • e408398aae606a1aafb857413db4fa9736e374ae should be disapproved. It is hacky and stupid (26 June)

Tasks done

  • Figure out how to get key fingerprints out of GnuTLS (25 May, 25 May))
All information, including names and email addresses, entered onto this website or sent to mailing lists affiliated with this website will be public. Do not post confidential information, especially passwords!