patch: SSL connection to Yahoo with gnutls

Patrick Ohly patrick.ohly at gmx.de
Wed Nov 10 08:40:21 EST 2010


Hello!

I ran into a problem talking to Yahoo. The patch descriptions below has the
details. Do you agree with the solution? Can you include it in some future
release? Any idea when such a release might be prepared?

------------------------------------------------------------------------

Establishing a SSL connection to Yahoo! CalDAV fails with gnutls if no client
certificate is available. The reason is that a) Yahoo requests a client
certificate and b) neon returns GNUTLS_E_NO_CERTIFICATE_FOUND when none is
available.

gnutls (tested: 2.8.6-1 and the latest stable 2.10.1) treat this as a
client-side failure and aborts, although the server might accept a
client without a certificate (as Yahoo does).

It is uncertain in which cases this behavior is desired. If the app
sets neither certificate nor provider callback, then it is obvious
that it wants an SSL connection without client certificate and neon
should allow gnutls to proceed. This patch achieves that by returning
from provide_client_cert() without error in that case.

The case that the app's provider callback doesn't set a certificate
still leads to GNUTLS_E_NO_CERTIFICATE_FOUND and thus an abort.

For the record, the errors logged in that case are (from gnutls and neon):

HSK[0x139cbe0]: CERTIFICATE REQUEST was received [9 bytes]
ASSERT: auth_cert.c:459
ASSERT: auth_cert.c:1388
ASSERT: gnutls_handshake.c:2395
ASSERT: gnutls_record.c:262

Request ends, status 0 class 0xx, error line:
SSL handshake failed, client certificate was requested: SSL error: GnuTLS
internal error.

diff -r -c neon-0.29.5/src/ne_gnutls.c neon-0.29.5.no-cert//src/ne_gnutls.c
*** neon-0.29.5/src/ne_gnutls.c	2009-12-02 22:40:41.000000000 +0100
--- neon-0.29.5.no-cert//src/ne_gnutls.c	2010-11-10 14:19:40.260695609 +0100
***************
*** 623,629 ****
      } else {
          NE_DEBUG(NE_DBG_SSL, "No client certificate supplied.\n");
          sess->ssl_cc_requested = 1;
!         return GNUTLS_E_NO_CERTIFICATE_FOUND;
      }
  
      return 0;
--- 623,633 ----
      } else {
          NE_DEBUG(NE_DBG_SSL, "No client certificate supplied.\n");
          sess->ssl_cc_requested = 1;
!         // If the app was not interested in providing a client certificate
!         // (neither certificate set nor provider), then try to continue
!         // without one. Returning GNUTLS_E_NO_CERTIFICATE_FOUND here causes
!         // gnutls to abort.
!         return sess->ssl_provide_fn ? GNUTLS_E_NO_CERTIFICATE_FOUND : 0;
      }
  
      return 0;





More information about the neon mailing list