WIP: gnutls: don't attempt to connect to server if TLS interaction fails (!44) · Merge requests · GNOME / glib-networking

Michael Catanzaro requested to merge mcatanzaro/tls-interaction into master May 17, 2019

If we fail to get a client certificate from the TLS interaction, we can either go ahead and try to connect to the server or not. Originally, we didn't. At some point in the past, I arbitrarily changed this to allow trying to connect. The theory is that some servers might request a client certificate, but allow connecting anyway even if it's not provided, and trying to connect would allow for compatibility with such servers.

However, I've never heard of any such server existing. So, for simplicity, let's just fail if the TLS interaction has failed. This is what the code originally did, anyway, and nobody ever requested a change. We can always revisit in the future in the very unlikely event somebody wants to connect to such a server without a client certificate.

Now, this causes a somewhat undesirable change in our test output. The test server is no longer able to fail on G_TLS_ERROR_CERTIFICATE_REQUIRED, because the server is no longer choosing to terminate the connection: it's the client choosing to terminate the connection now. So instead the error will be a generic handshake error. And we use G_TLS_ERROR_NOT_TLS for all handshake errors (see: #63).

I've marked this WIP because:

We need to discuss what server errors we want to see here.
It depends on !43 (merged), which we should land first.

WIP: gnutls: don't attempt to connect to server if TLS interaction fails

Merge request reports