Hello,
this is against git head from today.
During configure:
checking for GNUTLS... yes
checking for gnutls_dtls_set_data_mtu... no
checking for gnutls_certificate_set_x509_system_trust... no
checking For location of system CA trust file... NOT FOUND
configure: error: Unable to find a standard system CA certificate file.
Your GnuTLS requires a path to a CA certificate store. This is a file
which contains a list of the Certificate Authorities which are trusted.
Most distributions ship with this file in a standard location, but none
the known standard locations exist on your system. You should provide a
--with-system-cafile= argument to this configure script, giving the full
path to a default CA certificate file for GnuTLS to use. Also, please
send full details of your system, including 'uname -a' output and the
location of the system CA certificate store on your system, to the
openconnect-devel at lists.infradead.org mailing list.
jmayer at egg:~> uname -a
Linux egg 3.8.6-2-desktop #1 SMP PREEMPT Mon Apr 8 12:20:48 UTC 2013 (290a7e9) i686 i686 i386 GNU/Linux
jmayer at egg:~> lsb_release -a
LSB Version: n/a
Distributor ID: SUSE LINUX
Description: openSUSE 12.1 (i586)
Release: 12.1
Codename: Asparagus
jmayer at egg:~/work/vpn/openconnect/build(master)> ../configure --with-system-cafile=/etc/ssl/ca-bundle.pem
[configure success]
During make:
make[1]: Entering directory `/home/jmayer/work/vpn/openconnect/build'
New version: v4.08-146-gf232096
CC libopenconnect_la-gnutls.lo
../gnutls.c: In function 'verify_signed_data':
../gnutls.c:590:3: error: implicit declaration of function 'gnutls_pk_to_sign' [-Werror=implicit-function-declaration]
algo = gnutls_pk_to_sign(gnutls_privkey_get_pk_algorithm(privkey, NULL),
^
../gnutls.c:590:3: warning: nested extern declaration of 'gnutls_pk_to_sign' [-Wnested-externs]
cc1: some warnings being treated as errors
make[1]: *** [libopenconnect_la-gnutls.lo] Error 1
make[1]: Leaving directory `/home/jmayer/work/vpn/openconnect/build'
make: *** [all-recursive] Error 1
jmayer at egg:~/work/vpn/openconnect(master)> zypper se -s gnutls | grep ^i
i | gnutls | package | 3.0.3-5.11.1 | i586 | openSUSE-Update
i | libgnutls-devel | package | 3.0.3-5.11.1 | i586 | openSUSE-Update
i | libgnutls-extra-devel | package | 3.0.3-5.11.1 | i586 | openSUSE-Update
i | libgnutls-extra28 | package | 3.0.3-5.11.1 | i586 | openSUSE-Update
i | libgnutls28 | package | 3.0.3-5.11.1 | i586 | openSUSE-Update
jmayer at egg:~/work/vpn/openconnect(master)> zypper se -s openssl | grep ^i
i | libopenssl-devel | package | 1.0.0k-34.20.1 | i586 | openSUSE-Update
i | libopenssl1_0_0 | package | 1.0.0k-34.20.1 | i586 | openSUSE-Update
i | openssl | package | 1.0.0k-34.20.1 | i586 | openSUSE-Update
Creating and applying the following change got me further (full patch as attach)
diff --git a/configure.ac b/configure.ac
a/configure.ac
+ AC_CHECK_FUNC(gnutls_pk_to_sign,
+ [AC_DEFINE(HAVE_GNUTLS_PUBKEY_TO_SIGN, 1)], [])
AC_CHECK_FUNC(gnutls_pubkey_verify_data2,
[AC_DEFINE(HAVE_GNUTLS_PUBKEY_VERIFY_DATA2, 1)], [])
diff --git a/gnutls.c b/gnutls.c
--- a/gnutls.c
-#ifdef HAVE_GNUTLS_PUBKEY_VERIFY_DATA2
+#if defined(HAVE_GNUTLS_PUBKEY_VERIFY_DATA2) && defined(HAVE_GNUTLS_PUBKEY_TO_SIGN)
gnutls_sign_algorithm_t algo = GNUTLS_SIGN_RSA_SHA1; /* TPM keys */
Doing make now gets me a bit further:
CC openconnect-dtls.o
../dtls.c:129:2: error: #error This version of OpenSSL is known to be broken with Cisco DTLS.
#error This version of OpenSSL is known to be broken with Cisco DTLS.
^
make[1]: *** [openconnect-dtls.o] Error 1
IMO, this is plain wrong for several reasons:
- This belongs into the configure check, not into the source file. Even then, it
should probably be a prominent warning at the end of the process only, not an
error. configure can also check for the gnutls version and either propose to use
gnutls instead or even automagically fall back to using gnutls if present.
- As there will hopefully be an update one day to openssl that fixes the problem,
it should always compile (not just via a define in the build) and complain at
startup or (as currently also implemented ) during connection setup. As openssl
bugfix releases do not require applications to be recompiled, openconnect should
not require this either.
- The server I want to connect to will accept TLS connections as well, but without
fiddling with the source I won't be able to connect at all (because of no binary),
this looks again looks wrong for me.
jmayer at egg:~/work/vpn/openconnect/build(master)> CFLAGS=-DNO_BROKEN_DTLS_CHECK ../configure --with-system-cafile=/etc/ssl/ca-bundle.pem
This finally got me the binary I wanted :-)
Thanks for openconnect btw! Feel free to apply or modify+apply the patch to the
repo.
Ciao
J?rg
--
Joerg Mayer <jmayer at loplof.de>
We are stuck with technology when what we really want is just stuff that
works. Some say that should read Microsoft instead of technology.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: gnutls_pk_to_sign.patch
Type: text/x-diff
Size: 1150 bytes
Desc: not available
URL: <http://lists.infradead.org/pipermail/openconnect-devel/attachments/20130428/3c321569/attachment.bin>
