A recent change in gnutls that was released with 3.5.6 changed the
behavior of dname en- and decoding to follow RFC4514.
That breaks the related tests which failed validation in
virNetTLSContextCheckCertDNWhitelist due to the strings no more matching
in the fnmatch check.
The fix is a gnutls version dependent definition of the wildcard strings
used by the tests (older gnutls versions require the old order).
Signed-off-by: Christian Ehrhardt <christian.ehrhardt@xxxxxxxxxxxxx>
---
tests/virnettlssessiontest.c | 28 ++++++++++++++++++++++++++++
1 file changed, 28 insertions(+)
diff --git a/tests/virnettlssessiontest.c b/tests/virnettlssessiontest.c
index 0d2e106..c0ef5f6 100644
--- a/tests/virnettlssessiontest.c
+++ b/tests/virnettlssessiontest.c
@@ -374,6 +374,33 @@ mymain(void)
DO_SESS_TEST(cacertreq.filename, servercertalt2req.filename, clientcertreq.filename,
false, false, "wiki.libvirt.org", NULL);
+#if GNUTLS_VERSION_NUMBER >= 0x030506
+ const char *const wildcards1[] = {
+ "CN=dogfood,C=UK",
+ NULL,
+ };
+ const char *const wildcards2[] = {
+ "CN=libvirt,C=UK",
+ NULL,
+ };
+ const char *const wildcards3[] = {
+ "CN=dogfood,C=UK",
+ "CN=libvirt,C=UK",
+ NULL,
+ };
+ const char *const wildcards4[] = {
+ "CN=libvirtstuff,C=UK",
+ NULL,
+ };
+ const char *const wildcards5[] = {
+ "CN=libvirt*,C=UK",
+ NULL,
+ };
+ const char *const wildcards6[] = {
+ "CN=*virt*,C=UK",
+ NULL,
+ };
+#else
const char *const wildcards1[] = {
"C=UK,CN=dogfood",
NULL,
@@ -399,6 +426,7 @@ mymain(void)
"C=UK,CN=*virt*",
NULL,
};
+#endif /* GNUTLS_VERSION_NUMBER >= 0x030506 */
DO_SESS_TEST(cacertreq.filename, servercertreq.filename, clientcertreq.filename,
true, false, "libvirt.org", wildcards1);
--
2.7.4
--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list