Re: GnuTLS 2.3.12 - second release candidate for 2.4.0

[Simon Josefsson]

Daniel Kahn Gillmor <address@hidden> writes:

> On Sun 2008-06-08 04:58:30 -0400, Nikos Mavrogiannopoulos wrote:
>
>> Simon Josefsson wrote:
>>> This the second release candidate for 2.4.0.  Anything that doesn't live
>>> up to the expectations on a stable release should be reported before
>>> this turns into the real 2.4.0.  We hope to release 2.4.0 within a week
>>> or two.
>>> 
>>> The goals for the 2.3.x branch are tracked at:
>>> 
>>> http://trac.gnutls.org/cgi-bin/trac.cgi/milestone/gnutls-2.4
>>
>> The last open issue with this release has now been solved in the
>> repository (issue being the OpenPGP certificate verification).
>
> It's not clear to me if you mean that this should be resolved in
> 2.3.12, or after 2.3.12, Nikos.  It looks to me like it has *not* been
> resolved in 2.3.12 yet.  In particular, it appears to fail open: when
> one userid is verified, it treats them all as verified, even User IDs
> that have no certifications other than self-signatures.

Actually, it should only be fixed after 2.3.13, but it seems the daily
builds for trunk has stopped working some time ago -- I'll try to fix
that.

> When i run the tests from
> http://trac.gnutls.org/cgi-bin/trac.cgi/attachment/ticket/32/openpgp-certs.tgz
> against the 2.3.12 packages in debian experimental, i get the
> following output:
>
> [0 address@hidden openpgp-certs]$ ./testcerts 
> Set static Diffie Hellman parameters, consider --dhparams.
> Echo Server ready. Listening to port '12345'.
>
> Failure: Connection to unverified (but present) 'localhost' should have 
> failed!
> Exiting via signal 15
> Set static Diffie Hellman parameters, consider --dhparams.
> Echo Server ready. Listening to port '12345'.
>
> Failure: Connection to unverified IP address should have failed! (error code 
> 0)
> Exiting via signal 15
> [1 address@hidden openpgp-certs]$ 

I'll do a 2.3.14 release so that you can confirm that this has been
fixed.

Thanks,
Simon