1. 17 Aug, 2017 8 commits
  2. 16 Aug, 2017 5 commits
  3. 12 Aug, 2017 1 commit
  4. 09 Aug, 2017 1 commit
  5. 08 Aug, 2017 2 commits
  6. 06 Aug, 2017 1 commit
  7. 05 Aug, 2017 1 commit
  8. 04 Aug, 2017 3 commits
  9. 28 Jul, 2017 1 commit
  10. 27 Jul, 2017 1 commit
  11. 26 Jul, 2017 1 commit
  12. 25 Jul, 2017 3 commits
  13. 05 May, 2017 2 commits
  14. 02 May, 2017 1 commit
  15. 26 Apr, 2017 1 commit
  16. 23 Apr, 2017 1 commit
  17. 27 Mar, 2017 1 commit
  18. 21 Mar, 2017 5 commits
    • Debarshi Ray's avatar
      Remove the GnuTLS dependency · e6e0590e
      Debarshi Ray authored
      GIO, backed by glib-networking, has everything that we need.
      
      https://bugzilla.gnome.org/show_bug.cgi?id=780160
      e6e0590e
    • Debarshi Ray's avatar
      tls-verifier: Use GIO to verify the chain of TLS certificates · d5b17f72
      Debarshi Ray authored
      Gcr has its own hand rolled code to complete the certificate chain and
      validate it, which predates the equivalent functionality in GIO. These
      days, GIO's GnuTLS backend is a better option because it defers to
      GnuTLS to do the right thing. It benefits automatically from any
      improvements made to GnuTLS itself.
      
      However, GIO doesn't support certificate pinning. Gcr continues to
      provide that feature.
      
      Note:
      
      (a) We don't set "certificate-hostname" when we encounter
      TP_TLS_CERTIFICATE_REJECT_REASON_HOSTNAME_MISMATCH. The resulting loss
      of verbosity in EmpathyTLSDialog is balanced by no longer relying on a
      specific encryption library.
      
      (b) glib-networking doesn't differentiate between
      GNUTLS_CERT_SIGNER_NOT_FOUND and GNUTLS_CERT_SIGNER_NOT_CA. Hence, we
      club them together as TP_TLS_CERTIFICATE_REJECT_REASON_UNTRUSTED and we
      no longer return TP_TLS_CERTIFICATE_REJECT_REASON_SELF_SIGNED.
      
      (c) Unlike Gcr, GnuTLS doesn't seem to provide a way to load a PKCS#11
      module that's built into the code, as opposed to being a shared object.
      This makes it hard for us to load our mock PKCS#11 module. Therefore,
      we have disabled the test case that relies on using PKCS#11 storage to
      complete the certificate chain.
      
      Bump required GLib version to 2.48. We really do need 2.48 because we
      rely on the improvements to GIO's GnuTLS backend.
      
      https://bugzilla.gnome.org/show_bug.cgi?id=780160
      d5b17f72
    • Debarshi Ray's avatar
      tests: Retain the PEM formatted root certificate · 526867cc
      Debarshi Ray authored
      In the subsequent commit, we will use GIO's GnuTLS backend to verify
      the chain of TLS certificates instead of Gcr. This means that a
      GckModule can no longer be used to feed our mock root certificates via
      a PKCS#11 module. Instead we will have to create a mock GTlsDatabase,
      and that needs the PEM formatted root certificate.
      
      We will continue using the GckModule for pinned certificates.
      
      https://bugzilla.gnome.org/show_bug.cgi?id=780160
      526867cc
    • Debarshi Ray's avatar
      tests: Actually test that hostnames of pinned certificates are verified · 61deb1e7
      Debarshi Ray authored
      This test case is about ensuring that a pinned certificate won't be
      validated if the wrong hostname is used.
      
      If we don't add the pinned certificate to our database, then checks for
      pinning are going to fail regardless of the hostname being used. The
      correct certificate-hostname pair needs to be in the database to ensure
      that the hostnames are being matched as advertised.
      
      https://bugzilla.gnome.org/show_bug.cgi?id=780160
      61deb1e7
    • Debarshi Ray's avatar
      tests: Fix comment · 29cee6ff
      Debarshi Ray authored
      The existing comment was mistakenly copied from
      test_certificate_verify_success_with_full_chain.
      
      This test case is about a certificate that has been pinned against a
      specific peer. The mock TLS connection doesn't have the full chain,
      but just the leaf-level certificate that has been pinned.
      
      https://bugzilla.gnome.org/show_bug.cgi?id=780160
      29cee6ff
  19. 20 Mar, 2017 1 commit