1. 12 Nov, 2018 8 commits
    • Michael Catanzaro's avatar
      Prepare 2.59.1 · 63a8eddb
      Michael Catanzaro authored
      63a8eddb
    • Michael Catanzaro's avatar
      Never accept a missing certificate · 1ba8c0bf
      Michael Catanzaro authored
      If the server doesn't send a certificate, we should wind up failing with
      GNUTLS_E_NO_CIPHER_SUITES. Still, let's explicitly check to make sure
      it's here, just in case.
      1ba8c0bf
    • Michael Catanzaro's avatar
      Fix indentation error · 5b423e31
      Michael Catanzaro authored
      Oops
      5b423e31
    • Michael Catanzaro's avatar
      Remove the PKCS#11 backend · 4d6caa03
      Michael Catanzaro authored
      Nowadays the normal GnuTLS backend has full PKCS#11 support. (At least,
      it's certainly supposed to.) The PKCS#11 backend has been disabled in
      2.58, which is two months old now, and not a single complaint has
      reached me from Ubuntu 18.10 or Fedora 29 or anywhere else. It's always
      required a special environment variable to enable anyway, so I consider
      all of this code experimental.
      
      If anyone has a reason to keep this code around, please speak up now! We
      can consider reverting this if there's a good reason to keep the PKCS#11
      backend around that I'm not aware of. But I'm guessing there's not.
      
      Fixes #7
      
      Obsoletes #8
      4d6caa03
    • Michael Catanzaro's avatar
    • Michael Catanzaro's avatar
      Rewrite the test for TLS 1.3 again · cce5f871
      Michael Catanzaro authored
      This is based on the same logic we use to compute the minimum available
      protocol version in g_tls_connection_gnutls_init_priorities(), so we can
      figure out whether TLS 1.3 is actually available at runtime or not.
      cce5f871
    • Michael Catanzaro's avatar
      Upgrade CI to Fedora 29 · be259803
      Michael Catanzaro authored
      This should no longer be broken.
      
      And the CI on Fedora 28 actually is broken currently. See the previous
      commit for why it's OK to just upgrade the CI rather than fix that.
      be259803
    • Michael Catanzaro's avatar
      Try adjusting the connection tests' check for TLS 1.3 · 9e306caa
      Michael Catanzaro authored
      This seems *slightly* better than just checking the GnuTLS version, but
      it's still not actually going to work on Fedora 28, which has GnuTLS 3.6
      but not TLS 1.3. That's achieved by distro patching, though, so I think
      we can declare it effectively unsupported for further glib-networking
      development.
      9e306caa
  2. 11 Nov, 2018 7 commits
    • Michael Catanzaro's avatar
      Adapt client auth fail tests to TLS 1.3 · 572ad134
      Michael Catanzaro authored
      There has been a surprising change is behavior regarding TLS client auth
      failure with TLS 1.3, which I have documented here:
      
      https://gitlab.com/gnutls/gnutls/issues/615
      
      Basically the problem is that, if the client fails to send a required
      certificate, or sends an unacceptable certificate, the handshake no
      longer fails on the client side. This is a necessity of the protocol
      changes, and it's awkward to attempt to hide this behind the GLib API.
      So the errors we expect to receive in these failure tests are now
      different than they used to be.
      
      It's unclear to me how we will handle this change with other TLS
      backends.
      572ad134
    • Michael Catanzaro's avatar
      Fix connection failures caused by the certificate verification rework · 5ca0123b
      Michael Catanzaro authored
      I've been confused for a long time why 45c5f335 caused no problems to
      our testsuite, but resulted in massive breakage when released in
      2.57.90. Turns out the answer is session resumption. By moving
      certificate verification into GnuTLS's certificate verification
      callback, our manual verification was now not performed in cases of
      session resumption. This means that the peer-certificate and
      peer-certificate-errors properties were not updated properly. Our code
      was not designed to cope with this.
      
      So cope with it. We just have to manually update these properties. Be
      super careful, because some of this code can now run on mulitple
      threads (but hopefully not at the same time!). It's fine as long as we
      make sure that application-visible notifies are only ever emitted on the
      handshake context's thread, since application callbacks unexpectedly
      running on secondary threads would be bad news. We went to a huge effort
      to avoid that happening with the accept-certificate signal, so wouldn't
      make sense to screw up notifies now.
      
      Finally, clear handshake_context later in all codepaths, not for any
      great technical reason, just so we can use it in
      update_peer_certificate() to assert the function is called in the right
      thread. Hopefully this shouldn't break anything.
      5ca0123b
    • Michael Catanzaro's avatar
      Don't clear peer certificate when rehandshaking · b63615c6
      Michael Catanzaro authored
      The client auth tests check that the client connection's peer
      certificate is nonnull, but it will in fact be null if the server has
      initiated a rehandshake and the rehandshake has not yet finished. It
      should be possible to avoid this by stalling the tests until the
      rehandshake has completed, but there's really no need to clear it here
      in the first place.
      
      Of course, we still need to clear it when performing certificate
      verification.
      b63615c6
    • Michael Catanzaro's avatar
    • Michael Catanzaro's avatar
      Revert "Revert "Tighten up handling of server errors"" · bb8f6290
      Michael Catanzaro authored
      This reverts commit 8d3973bb.
      bb8f6290
    • Michael Catanzaro's avatar
      Add GTLS_DEBUG to ease debugging · f856e264
      Michael Catanzaro authored
      I've rewritten this at least three times now, and it takes a nontrivial
      amount of time to do so. Let's keep it permanently.
      f856e264
    • Michael Catanzaro's avatar
      Fix missing space in build options · e27cc8d0
      Michael Catanzaro authored
      e27cc8d0
  3. 04 Nov, 2018 1 commit
  4. 19 Oct, 2018 1 commit
  5. 15 Oct, 2018 1 commit
  6. 29 Sep, 2018 1 commit
  7. 25 Sep, 2018 2 commits
  8. 19 Sep, 2018 1 commit
  9. 12 Sep, 2018 7 commits
  10. 11 Sep, 2018 2 commits
  11. 06 Sep, 2018 1 commit
  12. 02 Sep, 2018 4 commits
  13. 01 Sep, 2018 1 commit
  14. 31 Aug, 2018 2 commits
  15. 29 Aug, 2018 1 commit