On Sun, 2013-04-28 at 14:11 +0200, Joerg Mayer wrote: > Hello, > > this is against git head from today. Apologies for delayed reply. Some messages which came in while I was on paternity leave got ignored a little bit... :) > During configure: > > checking for GNUTLS... yes > checking for gnutls_dtls_set_data_mtu... no > checking for gnutls_certificate_set_x509_system_trust... no > checking For location of system CA trust file... NOT FOUND > configure: error: Unable to find a standard system CA certificate file. > Your GnuTLS requires a path to a CA certificate store. This is a file > which contains a list of the Certificate Authorities which are trusted. It looks like upstream GnuTLS will fail similarly, right? I've added /etc/ssl/ca-bundle.pem to my list, as you suggest. Nikos will presumably want to do the same? http://git.infradead.org/users/dwmw2/openconnect.git/commitdiff/d5381b38 > diff --git a/configure.ac b/configure.ac > a/configure.ac > + AC_CHECK_FUNC(gnutls_pk_to_sign, > + [AC_DEFINE(HAVE_GNUTLS_PUBKEY_TO_SIGN, 1)], []) > AC_CHECK_FUNC(gnutls_pubkey_verify_data2, > [AC_DEFINE(HAVE_GNUTLS_PUBKEY_VERIFY_DATA2, 1)], []) > diff --git a/gnutls.c b/gnutls.c > --- a/gnutls.c > -#ifdef HAVE_GNUTLS_PUBKEY_VERIFY_DATA2 > +#if defined(HAVE_GNUTLS_PUBKEY_VERIFY_DATA2) && defined(HAVE_GNUTLS_PUBKEY_TO_SIGN) > gnutls_sign_algorithm_t algo = GNUTLS_SIGN_RSA_SHA1; /* TPM keys */ In fact we might as well not bother checking for gnutls_pubkey_verify_data2() at all. We'll check *only* for gnutls_pk_to_sign(). If that doesn't exist, then we'll just use gnutls_pubkey_verify_data() as before. http://git.infradead.org/users/dwmw2/openconnect.git/commitdiff/221948f8 > Doing make now gets me a bit further: > > CC openconnect-dtls.o > ../dtls.c:129:2: error: #error This version of OpenSSL is known to be broken with Cisco DTLS. > #error This version of OpenSSL is known to be broken with Cisco DTLS. > ^ > make[1]: *** [openconnect-dtls.o] Error 1 > > IMO, this is plain wrong for several reasons: Yeah, I was being lazy and pushing the burden onto the people who are still using OpenSSL when they should have switched to GnuTLS (which is in fact the default now, since 5.00). http://git.infradead.org/users/dwmw2/openconnect.git/commitdiff/a899e355 Thanks for reporting these. -- David Woodhouse Open Source Technology Centre David.Woodhouse at intel.com Intel Corporation -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 5745 bytes Desc: not available URL: <http://lists.infradead.org/pipermail/openconnect-devel/attachments/20130531/b5248f6c/attachment.bin>